GCP IAM 指南

# 创建自定义角色 gcloud iam roles create myCustomRole \ --project=my-project \ --title="My Custom Role" \ --permissions=storage.objects.get,storage.objects.list \ --stage=GA

# 添加绑定（非破坏性） gcloud projects add-iam-policy-binding my-project \ --member="user:alice@example.com" \ --role="roles/storage.objectViewer" # 获取完整 IAM 策略 gcloud projects get-iam-policy my-project --format=json # 移除绑定 gcloud projects remove-iam-policy-binding my-project \ --member="user:alice@example.com" \ --role="roles/storage.objectViewer"

# 创建服务账号 gcloud iam service-accounts create deploy-sa \ --display-name="Deployment SA" # 授予项目权限 gcloud projects add-iam-policy-binding my-project \ --member="serviceAccount:deploy-sa@my-project.iam.gserviceaccount.com" \ --role="roles/run.developer" # 允许用户模拟服务账号 gcloud iam service-accounts add-iam-policy-binding \ deploy-sa@my-project.iam.gserviceaccount.com \ --member="user:alice@example.com" \ --role="roles/iam.serviceAccountTokenCreator"

# 创建工作负载身份池 gcloud iam workload-identity-pools create github-pool \ --project=my-project \ --location=global \ --display-name="GitHub Actions Pool" # 创建 OIDC 提供商（GitHub Actions） gcloud iam workload-identity-pools providers create-oidc github-provider \ --project=my-project \ --location=global \ --workload-identity-pool=github-pool \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub"

# 查询审计日志 gcloud logging read \ 'logName="projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"' \ --limit=50 --format=json # 将日志导出到 BigQuery gcloud logging sinks create my-bq-sink \ bigquery.googleapis.com/projects/my-project/datasets/audit_logs \ --log-filter='logName:"cloudaudit.googleapis.com"'