google-cloud-platform - 在没有任何组织级别权限的情况下获取 GCP 中给定项目的资产/资源列表

问题描述

我一直在探索的一个选项如下。

在阅读文档https://cloud.google.com/security-command-center/docs/how-to-api-list-assets#listing_all_assets时，发现我们可以使用 Security Command Center API 获取所有资产的列表。

以下是文档中提供的代码。

static ImmutableList<ListAssetsResult> listAssets(OrganizationName organizationName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Start setting up a request for to search for all assets in an organization.
    // OrganizationName organizationName = OrganizationName.of(/*organizationId=*/"123234324");
    ListAssetsRequest.Builder request =
        ListAssetsRequest.newBuilder().setParent(organizationName.toString());

    // Call the API.
    ListAssetsPagedResponse response = client.listAssets(request.build());

    // This creates one list for all assets.  If your organization has a large number of assets
    // this can cause out of memory issues.  You can process them incrementally by returning
    // the Iterable returned response.iterateAll() directly.
    ImmutableList<ListAssetsResult> results = ImmutableList.copyOf(response.iterateAll());
    System.out.println("All assets:");
    System.out.println(results);
    return results;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

在安全命令中心运行命令会返回错误“PERMISSION_DENIED: Permission 'securitycenter.assets.list' denied on resource 'organizations/{organization-id}' (or resource may not exist)”作为响应。

根据以下文档https://cloud.google.com/security-command-center/docs/access-control，需要在 ORGANIZATION LEVEL 设置权限“securitycenter.assets.list”，这是有问题的。

我正在寻找一个选项来绕过上述问题，我不需要组织级别的权限或任何其他可以帮助我完成此任务的 API。

标签： google-cloud-platformgoogle-iamgoogle-cloud-iam