Skip to content

Latest commit

 

History

History
56 lines (34 loc) · 1.82 KB

google_service_account.md

File metadata and controls

56 lines (34 loc) · 1.82 KB
Raw
title platform
About the google_service_account Resource
gcp

google_service_account

Use the google_service_account InSpec audit resource to test properties of a GCP project IAM service account.


Syntax

A google_service_account resource block declares the tests for a single GCP project IAM service account by fully qualified name.

describe google_service_account(name: 'projects/sample-project/serviceAccounts/[email protected]') do
  its('display_name') { should eq 'gcp-inspec-service-account' }
  its('project_id') { should eq 'chef-inspec-gcp' }
end

Examples

The following examples show how to use this InSpec audit resource.

Test that a GCP project IAM service account has the expected unique identifier

describe google_service_account(name: 'projects/sample-project/serviceAccounts/[email protected]') do
  its('unique_id') { should eq 12345678 }
end

Test that a GCP project IAM service account has the expected oauth2 client identifier

describe google_service_account(name: 'projects/sample-project/serviceAccounts/[email protected]') do
  its('oauth2_client_id') { should eq 12345678 }
end

Test that a GCP project IAM service account does not have user managed keys

describe google_service_account(name: 'projects/sample-project/serviceAccounts/[email protected]') do
  it { should have_user_managed_keys }
end

Properties

  • display_name, email, etag, name, oauth2_client_id, project_id, unique_id

GCP Permissions

Ensure the Identity and Access Management (IAM) API is enabled for the project.