今天繼續來做權限管理，試著用 Audit Logs 擷取需要的權限來建立客製化的 IAM 角色。

使用 Audit Logs 擷取權限紀錄

問了 Gemini 發現可以用 Audit Logs 來記錄用到的權限，所以設定了以下：

然後就可以從 Logs Explorer 下 Filter 來過濾：

protoPayload.authenticationInfo.principalEmail="xxxxx@xxxxxx.iam.gserviceaccount.com"

這時候觸發 Cloud Build 進行部屬和進行 API 測試，就會將需要的權限記錄進 Logs Explorer 。我將記錄到的 Log 存成文字檔然後用指令來擷取權限清單：

$ cat log.txt | awk 'match($0, /method:[^,]*,/) {print substr($0, RSTART, RLENGTH) }' | sort | uniq
method: "Docker-FinishUpload",
method: "Docker-GetManifest",
method: "Docker-HeadBlob",
method: "Docker-PutManifest",
method: "Docker-StartUpload",
method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.QueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineExecutionService.StreamQueryReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineService.GetReasoningEngine",
method: "google.cloud.run.v1.Services.GetService",
method: "google.cloud.run.v1.Services.ReplaceService",
method: "google.longrunning.Operations.WaitOperation",
method: "iam.serviceAccounts.actAs",

建立自訂角色 YAML

請 Gemini 幫我依照這些權限來建立角色，產生了一個 YAML：

title: "Cloud Run and Reasoning Engine Deployer"
description: "Custom role for deploying Cloud Run services and interacting with Reasoning Engines, including Artifact Registry access."
stage: "GA"
permissions:
- artifactregistry.repositories.uploadArtifacts
- artifactregistry.repositories.downloadArtifacts
- aiplatform.reasoningEngines.query
- aiplatform.reasoningEngines.streamQuery
- aiplatform.reasoningEngines.get
- run.services.get
- run.services.update
- longrunning.operations.wait
- iam.serviceAccounts.actAs

然後用 gcloud iam roles create 就可以建立：

gcloud iam roles create CloudRunAndReasoningEngineDeployer --project=... \
    --file=custom-deployer-role.yaml

但是一開始產生的設定檔是錯的，把錯誤訊息給 Gemini 看後就會修改成以下：

title: "Cloud Run and Reasoning Engine Deployer"
description: "Custom role for deploying Cloud Run services and interacting with Reasoning Engines, including Artifact Registry access."
stage: "GA"
includedPermissions:
  - artifactregistry.repositories.uploadArtifacts
  - artifactregistry.repositories.downloadArtifacts
  - aiplatform.reasoningEngines.query
  - aiplatform.reasoningEngines.get
  - run.services.get
  - run.services.update
  - iam.serviceAccounts.actAs

也就是把 permissions 改成 includedPermissions ，和把 aiplatform.reasoningEngines.query 與 longrunning.operations.wait 砍掉。

最後只要到 IAM 頁面指定角色給 Service Account 就可以了。改完的當下 Security 燈泡還是沒有熄滅，可能需要些時間，明天再看看，接下來把 Agent Engine 也做一次。

擷取 Agent Engine 權限

這次 Audit Log 多加一個 Google Cloud Storage ，因為 Agent 會被包到 Bucket 內：

錄下來少很多權限：

method: "google.cloud.aiplatform.v1.ReasoningEngineService.GetReasoningEngine",
method: "google.cloud.aiplatform.v1.ReasoningEngineService.UpdateReasoningEngine",
method: "storage.buckets.get",
method: "storage.objects.create",
method: "storage.objects.get",

一樣請 Gemini 幫我建立角色設定檔：

title: "Reasoning Engine and Storage Accessor"
description: "Custom role for getting/updating Reasoning Engines and managing Storage objects."
stage: "GA"
includedPermissions:
- aiplatform.reasoningEngines.get
- aiplatform.reasoningEngines.update
- storage.buckets.get
- storage.objects.create
- storage.objects.get

下指令建立角色：

gcloud iam roles create ReasoningEngineStorageAccessor --project=... \
    --file=reasoning-engine-storage-role.yaml

最後建立 Service Account 然後指定角色就可以了。

關於 iam.serviceAccounts.actAs 權限的安全性

不過 iam.serviceAccounts.actAs 這個權限看起來很可疑，查了一下這個權限可以像 sudo 一樣獲得較高的權限來操作，所以要再看看怎麼限制他。