I first wanted to thank you guys for helping me with my other scripts since I have minimal coding experience, but I’m started to get a hang of it. I’ll still be coming back here
This policy should check whether GCP organization service account key creation is disabled org. wide.
EDIT: I should add that for some reason my code returns true for whatever is in the quote box of the mock file. This shouldn’t be the case if “iam.disableServiceAccountKeyCreation” isn’t there
I’m trying to filter “iam.disableServiceAccountKeyCreation” out of “projects/My First Project/policies/iam.disableServiceAccountKeyCreation” because my client will have a different project name and I want this script to be universal.
I need to add more checks like ensuring the service accounts being created should have a “null” value for keys, but I have yet to find those variables and will come back to this forum if I need help.
I have fixed what I think needs to be changed in the policy: Sentinel Playground
based on the description of your use case I think you probably want to change google_org_policy_global_enforcement to a filter instead of a rule but I didn’t want to do that for you as I wasn’t 100% sure.
Here is a reusable helper function(get_path_end) that pulls “iam.disableServiceAccountKeyCreation” out of the larger “projects/My First Project/policies/iam.disableServiceAccountKeyCreation" string using the ‘split’ function from the strings import
I’ve actually just realized that you don’t need a filter! You were using the term filter, but you actually wanted to split the string and check to ensure that the value (iam.disableServiceAccountKeyCreation) exists.