In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
如需设置 gcloud CLI 以使用服务账号模拟(而不是您的用户凭据)向 Google API 进行身份验证,请运行以下命令:
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nThis document describes how to validate your [infrastructure as code\n(IaC)](https://en.wikipedia.org/wiki/Infrastructure_as_code) against the\n[organization policies](/resource-manager/docs/organization-policy/overview#organization_policy)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics#sha-detection-modules)\nthat you have defined in your Google Cloud organization. IaC lets you create and\nmanage your cloud resources using languages such as Terraform so that you can\ndeploy the resources using a development workflow. The IaC validation feature\nsupports organization policies and Security Health Analytics detectors only.\n\nValidating your IaC lets you determine whether your new or modified resource\ndefinitions violate the existing policies that are applied to your\nGoogle Cloud resources (for example, cluster, bucket, or instance). You can\ndefine these policies using [security\npostures](/security-command-center/docs/security-posture-overview), but the IaC validation\nfeature analyzes the code and compares the code against any effective policies\ndefined in postures that are deployed on your Google Cloud organization.\nIaC validation helps your developers identify and fix any security issues in the\nIaC configuration of assets or resources before they are applied to your\nGoogle Cloud environment.\n\nThe IaC validation feature supports Terraform plan files. You can validate your\nTerraform plan using Google Cloud CLI, or you can integrate the validation\nprocess into your Cloud Build, Jenkins, or GitHub Actions developer\nworkflow.\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nSet up permissions\n\n1. Make sure that you have the following role or roles on the organization: Security Posture Shift-Left Validator\n\nCheck for the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\nGrant the roles\n\n1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n2. Select the organization.\n3. Click person_add **Grant access**.\n4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n5. In the **Select a role** list, select a role.\n6. To grant additional roles, click add **Add\n another role** and add each additional role.\n7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level\nactivations](/security-command-center/docs/access-control-org).\n\nSet up Google Cloud CLI\n\nIn the Google Cloud console, activate Cloud Shell.\n\n[Activate Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n\nAt the bottom of the Google Cloud console, a\n[Cloud Shell](/shell/docs/how-cloud-shell-works)\nsession starts and displays a command-line prompt. Cloud Shell is a shell environment\nwith the Google Cloud CLI\nalready installed and with values already set for\nyour current project. It can take a few seconds for the session to initialize.\n\n\nTo set up the gcloud CLI to use service account impersonation to authenticate to\nGoogle APIs, rather than your user credentials, run the following command: \n\n```bash\ngcloud config set auth/impersonate_service_account SERVICE_ACCT_EMAIL\n```\n\n\nFor more information, see [Service account impersonation](/security-command-center/docs/reference/authentication#sa-impersonation).\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform code\n\nUse your developer workflows and tools to create a Terraform file that includes\nthe Google Cloud assets that you want to create or modify.\n\nConsider the following:\n\n- Populate the parent attribute (the project, folder, or organization) of every resource or asset in the Terraform configuration.\n- Modify assets and policies separately. The API doesn't support validation of Terraform plan files which modify both assets and policies at the same time.\n- Use supported asset types and policies only. For a list of supported asset types and policies, see [Supported asset types and policies for IaC validation](/security-command-center/docs/supported-iac-assets-policies).\n- Review the [limitations for IaC validation](/security-command-center/quotas#infrastructure_as_code_validation_limitations).\n- Don't include sensitive information such as passwords or other personally identifiable information in your Terraform plan file. If the validation feature encounters fields marked as sensitive in the resource changes, the fields are removed.\n\nAfter you create your Terraform code, you can run the IaC validation report. You\ncan use the gcloud CLI,\n[Cloud Build](/security-command-center/docs/iac-validation-cloud-build),\n[Jenkins](/security-command-center/docs/iac-validation-jenkins), or\n[GitHub Actions](/security-command-center/docs/iac-validation-github-actions).\n\nUse Google Cloud CLI to create an IaC validation report\n\nTo create an IaC validation report, complete the following:\n\n1. In gcloud CLI, run `terraform init`.\n\n Verify that you're running Terraform provider version v5.5 or later. If\n required, upgrade to the latest Google provider version: \n\n terraform init -upgrade\n\n2. Convert the Terraform plan file to JSON format:\n\n ```\n terraform plan -out TF_PLAN_FILENAME\n terraform show -json TF_PLAN_FILENAME \u003e TF_PLAN_JSON_FILENAME.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eTF_PLAN_FILENAME\u003c/var\u003e: The name for the Terraform plan file.\n - \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILENAME\u003c/var\u003e: The name of the file that will contain the Terraform plan in JSON format.\n3. Create the IaC validation report:\n\n ```\n gcloud scc iac-validation-reports create PARENT \\\n --tf-plan-file=TF_PLAN_JSON_FILENAME.json\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePARENT\u003c/var\u003e: The Google Cloud organization in which to create the IaC Validation report. The format is `organizations/`\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e`/locations/`\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e. \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e is `global`.\n - \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILENAME\u003c/var\u003e: The path to the JSON file that contains the IaC plan that you want to validate.\n\n For example, to create an IaC validation report under the\n `organizations/3589215982/locations/global` organization with an IaC plan\n included in `planFile.json`, run the following command: \n\n ```\n gcloud scc iac-validation-reports create organizations/3589215982/locations/global --tf-plan-file=planFile.json\n ```\n\n This command returns the operation details for creating the IAC validation\n report. To get information about the operation, see\n [View information about a posture deployment operation](/security-command-center/docs/how-to-use-security-posture#view-operation).\n\nWhat's next\n\n- [Review the sample tutorial](/security-command-center/docs/iac-validation-tutorial).\n- Integrate IaC validation with your [Cloud Build workflow](/security-command-center/docs/iac-validation-cloud-build).\n- Integrate IaC validation with your [GitHub Actions](/security-command-center/docs/iac-validation-github-actions) or your [Jenkins project](/security-command-center/docs/iac-validation-jenkins).\n- [Manage your security posture](/security-command-center/docs/how-to-use-security-posture)."]]
