IAM-Richtlinien festlegen
Mit Sammlungen den Überblick behalten
Sie können Inhalte basierend auf Ihren Einstellungen speichern und kategorisieren.
Veranschaulicht das Festlegen von IAM-Richtlinien für eine Quelle
Codebeispiel
Nächste Schritte
Wenn Sie nach Codebeispielen für andere Google Cloud -Produkte suchen und filtern möchten, können Sie den Google Cloud -Beispielbrowser verwenden.
Sofern nicht anders angegeben, sind die Inhalte dieser Seite unter der Creative Commons Attribution 4.0 License und Codebeispiele unter der Apache 2.0 License lizenziert. Weitere Informationen finden Sie in den Websiterichtlinien von Google Developers. Java ist eine eingetragene Marke von Oracle und/oder seinen Partnern.
[[["Leicht verständlich","easyToUnderstand","thumb-up"],["Mein Problem wurde gelöst","solvedMyProblem","thumb-up"],["Sonstiges","otherUp","thumb-up"]],[["Schwer verständlich","hardToUnderstand","thumb-down"],["Informationen oder Beispielcode falsch","incorrectInformationOrSampleCode","thumb-down"],["Benötigte Informationen/Beispiele nicht gefunden","missingTheInformationSamplesINeed","thumb-down"],["Problem mit der Übersetzung","translationIssue","thumb-down"],["Sonstiges","otherDown","thumb-down"]],[],[],[],null,["Demonstrates how to set IAM policies on a source\n\nCode sample \n\nGo\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n import (\n \t\"context\"\n \t\"fmt\"\n \t\"io\"\n\n \tiam \"cloud.google.com/go/iam/apiv1/iampb\"\n \tsecuritycenter \"cloud.google.com/go/securitycenter/apiv1\"\n )\n\n // setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision\n // for a source. sourceName is the full resource name of the source to be\n // updated. user is an email address that IAM can grant permissions to.\n func setSourceIamPolicy(w io.Writer, sourceName string, user string) error {\n \t// sourceName := \"organizations/111122222444/sources/1234\"\n \t// user := \"someuser@some_domain.com\n \t// Instantiate a context and a security service client to make API calls.\n \tctx := context.Background()\n \tclient, err := securitycenter.https://cloud.google.com/go/docs/reference/cloud.google.com/go/securitycenter/latest/apiv1.html#cloud_google_com_go_securitycenter_apiv1_Client_NewClient(ctx)\n \tif err != nil {\n \t\treturn fmt.Errorf(\"securitycenter.NewClient: %w\", err)\n \t}\n \tdefer client.https://cloud.google.com/go/docs/reference/cloud.google.com/go/securitycenter/latest/apiv1.html#cloud_google_com_go_securitycenter_apiv1_Client_Close() // Closing the client safely cleans up background resources.\n\n \t// Retrieve the existing policy so we can update only a specific\n \t// field.\n \texisting, err := client.GetIamPolicy(ctx, &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_GetIamPolicyRequest{\n \t\tResource: sourceName,\n \t})\n \tif err != nil {\n \t\treturn fmt.Errorf(\"GetIamPolicy(%s): %w\", sourceName, err)\n \t}\n\n \treq := &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_SetIamPolicyRequest{\n \t\tResource: sourceName,\n \t\tPolicy: &iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Policy{\n \t\t\t// Enables partial update of existing policy\n \t\t\tEtag: existing.Etag,\n \t\t\tBindings: []*iam.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Binding{{\n \t\t\t\tRole: \"roles/securitycenter.findingsEditor\",\n \t\t\t\t// New IAM Binding for the user.\n \t\t\t\tMembers: []string{fmt.Sprintf(\"user:%s\", user)},\n \t\t\t},\n \t\t\t},\n \t\t},\n \t}\n \tpolicy, err := client.SetIamPolicy(ctx, req)\n \tif err != nil {\n \t\treturn fmt.Errorf(\"SetIamPolicy(%s, %v): %w\", sourceName, req.https://cloud.google.com/go/docs/reference/cloud.google.com/go/iam/latest/apiv1/iampb.html#cloud_google_com_go_iam_apiv1_iampb_Policy, err)\n \t}\n\n \tfmt.Fprint(w, \"Bindings:\\n\")\n \tfor _, binding := range policy.Bindings {\n \t\tfor _, member := range binding.Members {\n \t\t\tfmt.Fprintf(w, \"Principal: %s Role: %s\\n\", member, binding.Role)\n \t\t}\n \t}\n \treturn nil\n }\n\nJava\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n static Policy setIamPolicySource(SourceName sourceName, String userEmail) {\n try (SecurityCenterClient client = SecurityCenterClient.create()) {\n // userEmail = \"someuser@domain.com\"\n // Set up IAM Policy for the user userMail to use the role findingsEditor.\n // The user must be a valid google account.\n Policy oldPolicy = client.getIamPolicy(sourceName.toString());\n Binding bindings =\n Binding.newBuilder()\n .setRole(\"roles/securitycenter.findingsEditor\")\n .addMembers(\"user:\" + userEmail)\n .build();\n Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();\n\n // Start setting up a request to set IAM policy for a source.\n // SourceName sourceName = SourceName.of(\"123234324\", \"423432321\");\n SetIamPolicyRequest.Builder request =\n SetIamPolicyRequest.newBuilder().setPolicy(policy).setResource(sourceName.toString());\n\n // Call the API.\n Policy response = client.setIamPolicy(request.build());\n\n System.out.println(\"Policy: \" + response);\n return response;\n } catch (IOException e) {\n throw new RuntimeException(\"Couldn't create client.\", e);\n }\n }\n\nNode.js\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n // Imports the Google Cloud client library.\n const {SecurityCenterClient} = require('https://cloud.google.com/nodejs/docs/reference/security-center/latest/overview.html');\n\n // Creates a new client.\n const client = new https://cloud.google.com/nodejs/docs/reference/security-center/latest/overview.html();\n\n async function setSourceIamPolicy() {\n // sourceName is the full resource name of the source to be\n // updated.\n // user is an email address that IAM can grant permissions to.\n /*\n * TODO(developer): Uncomment the following lines\n */\n // const sourceName = \"organizations/111122222444/sources/1234\";\n // const user = \"someuser@domain.com\";\n const [existingPolicy] = await client.getIamPolicy({\n resource: sourceName,\n });\n\n const [updatedPolicy] = await client.setIamPolicy({\n resource: sourceName,\n policy: {\n // Enables partial update of existing policy\n etag: existingPolicy.etag,\n bindings: [\n {\n role: 'roles/securitycenter.findingsEditor',\n // New IAM Binding for the user.\n members: [`user:${user}`],\n },\n ],\n },\n });\n console.log('Updated policy: %j', updatedPolicy);\n }\n setSourceIamPolicy();\n\nPython\n\n\nTo authenticate to Security Command Center, set up Application Default Credentials.\nFor more information, see\n\n[Set up authentication for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n from google.cloud import securitycenter_v1\n from google.iam.v1 import policy_pb2\n\n client = securitycenter_v1.SecurityCenterClient()\n\n # 'source_name' is the resource path for a source that has been\n # created previously (you can use list_sources to find a specific one).\n # Its format is:\n # source_name = \"organizations/{organization_id}/sources/{source_id}\"\n # e.g.:\n # source_name = \"organizations/111122222444/sources/1234\"\n # Get the old policy so we can do an incremental update.\n old_policy = client.https://cloud.google.com/python/docs/reference/securitycenter/latest/google.cloud.securitycenter_v1.services.security_center.SecurityCenterClient.html#google_cloud_securitycenter_v1_services_security_center_SecurityCenterClient_get_iam_policy(request={\"resource\": source_name})\n print(f\"Old Policy: {old_policy}\")\n\n # Setup a new IAM binding.\n binding = policy_pb2.Binding()\n binding.role = \"roles/securitycenter.findingsEditor\"\n # user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).\n # user_mail = user@somedomain.com\n binding.members.append(f\"user:{user_email}\")\n\n # Setting the e-tag avoids over-write existing policy\n updated = client.https://cloud.google.com/python/docs/reference/securitycenter/latest/google.cloud.securitycenter_v1.services.security_center.SecurityCenterClient.html#google_cloud_securitycenter_v1_services_security_center_SecurityCenterClient_set_iam_policy(\n request={\n \"resource\": source_name,\n \"policy\": {\"etag\": old_policy.etag, \"bindings\": [binding]},\n }\n )\n\n print(f\"Updated Policy: {updated}\")\n\nWhat's next\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=securitycenter)."]]
