import (
"context"
"fmt"
"io"
securitycenter "cloud.google.com/go/securitycenter/apiv1"
iam "google.golang.org/genproto/googleapis/iam/v1"
)
// testIam demonstrates how to determine if your service user has appropriate
// access to create and update findings, it writes permissions to w.
// sourceName is the full resource name of the source to test for permissions.
func testIam(w io.Writer, sourceName string) error {
// sourceName := "organizations/111122222444/sources/1234"
// Instantiate a context and a security service client to make API calls.
ctx := context.Background()
client, err := securitycenter.NewClient(ctx)
if err != nil {
return fmt.Errorf("securitycenter.NewClient: %v", err)
}
defer client.Close() // Closing the client safely cleans up background resources.
// Check for create/update Permissions.
req := &iam.TestIamPermissionsRequest{
Resource: sourceName,
Permissions: []string{"securitycenter.findings.update"},
}
policy, err := client.TestIamPermissions(ctx, req)
if err != nil {
return fmt.Errorf("Error getting IAM policy: %v", err)
}
fmt.Fprintf(w, "Permision to create/update findings? %t",
len(policy.Permissions) > 0)
// Check for updating state Permissions
req = &iam.TestIamPermissionsRequest{
Resource: sourceName,
Permissions: []string{"securitycenter.findings.setState"},
}
policy, err = client.TestIamPermissions(ctx, req)
if err != nil {
return fmt.Errorf("Error getting IAM policy: %v", err)
}
fmt.Fprintf(w, "Permision to update state? %t",
len(policy.Permissions) > 0)
return nil
}
from google.cloud import securitycenter
# Create a client.
client = securitycenter.SecurityCenterClient()
# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Check for permssions to call create_finding or update_finding.
permission_response = client.test_iam_permissions(
request={
"resource": source_name,
"permissions": ["securitycenter.findings.update"],
}
)
print(
"Permision to create or update findings? {}".format(
len(permission_response.permissions) > 0
)
)
# Check for permissions necessary to call set_finding_state.
permission_response = client.test_iam_permissions(
request={
"resource": source_name,
"permissions": ["securitycenter.findings.setState"],
}
)
print(
"Permision to update state? {}".format(len(permission_response.permissions) > 0)
)