►
From YouTube: Cloud Custodian Community Meeting 20220329
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/cloud-custodian/community/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
The
date
is
march,
29
2022,
and
this
is
the
custodian
community
meeting.
Just
as
a
reminder.
We
do
record
these
meetings
and
put
them
on
youtube
and
the
cncf
code
of
conduct
is
in
effect,
so
please
be
excellent
to
each
other.
All
right.
I've
posted
the
notes
url
to
the
chat
and
I'll
go
ahead
and
post
it
again.
I
don't
think
the
chat
persists
when
new
people
join.
Does
it
so
I'll
just
post
it
again.
There.
C
A
I
got
some
permissions,
hey
liz
or
one
of
you
can
you
can
you
share
the
notes
and
then
I'll
just
talk
through
them.
That
would
be
fantastic
thanks,
yep
all
right.
One
second.
A
All
right
so
before
we
get
started,
we
usually
have
an
agenda
that
we
we
go
through
and
then
the
agenda
for
this
meeting
is
open.
So
if
you
have
stuff
that
you
want
to
talk
about
we'll
go
over
some
of
the
announcements
that
we
make
and
then
you
know
raise
your
hand
or
holler
at
us
and
then
after
that,
usually
we
we
close
out
the
meeting
with
discussing
pr's
and
issues
that
might
be
important
to
you.
A
So
if
you
have
any
of
those
feel
free
to
bring
them
and
just
toss
them
in
chat
and
we'll
get
to
them
and
as
always,
the
meeting
is
kind
of
whatever's
useful
to
the
community.
So
if
you
have
questions
on
how
to
use
cloud
custodian
or
any
of
that
kind
of
stuff
feel
free
to
raise
your
hand
or
just
type
in
chat,
so
first
things:
first,
we
do
have
a
development
sprint
at
pycon
liz.
A
If
you
could
open
this
page,
it'd
be
great,
so
kapil
a
few,
the
other
people
have
organized
a
development
sprint
at
python
and
it's
on
the
pycon
website.
So
if
you
scroll
down
you'll,
see
all
the
information
that's
necessary
to
attend
that
cloud
sprint.
A
So
if
you
happen
to
be
attending
pycon
anyway
or
something
come,
say,
hello
and
I
am
pretty
sure
we're
gonna
have
t-shirts.
A
I
should
check
on
that,
but
if
not
I'll
have
a
way
of
sending
you
a
shirt,
if
you
want
one
or
not
any
questions
to
pycon
anyone
fan,
were
you
planning
on
attending?
I
don't
remember
if
you
were
or
not.
D
I'm
not
confirmed
yet,
but
I'm
trying
to
even
if
it's
just
for
that
day.
A
Okay
yeah
same
with
me:
I'm
not
I'm
not
sure
if
I'll
be
able
to
attend,
but
I'm
gonna,
I'm
gonna,
try.
A
I
have
no
idea
yeah,
I
don't
know,
but
if
I
can't
go
physically,
I'm
gonna
find
a
way
to
virtually
attend,
because,
obviously
you
know
I'm
gonna
want
to
get
a
lot
of
stuff
done
there.
So
I
you
know
what
I
will
take
an
item
to
follow
up
on
that
any
other
questions.
Yeah.
C
B
It
sure
is
so:
I've
got
a
tutorial
for
you
all
like
a
policy
101
tutorial,
and
I
was
about
to
publish
it,
but
then
I
was
wondering,
and
maybe
that
maybe
people
have
an
opinion
about
this.
Maybe
they
don't.
But
where
would
you
like
to
see
stuff
like
that
live?
Is
that
something
that
should
be
in
the
main
custodian
repo
with
the
rest
of
the
docs?
B
I
can't
remember,
if
that's
how
it's
set
up,
I
think
so
or
I
was
thinking
it
could
be
in
the
examples
repo
with
a
link
back
to
it
in
the
main
repo
with
the
rest
of
the
documentation.
B
My
instinct
is
to
put
in
the
examples
repo
and
have
that
kind
of
evolve
into
like
a
like
learning
resource
place
where
you
can
come
for,
like
all
things
that
are
like
kind
of
in
addition,
or
what's
the
word
I'm
looking
for
in
addition
to
like
the
main.
B
Yeah
complimentary
there
we
go
so
that's
my
that
was
my
thoughts,
but
I
also
want
to
make
these
easy
to
discover.
So
I
thought
I'd
put
it
out
there
see
if
anyone
has
an
opinion
and.
C
F
A
All
right,
moving
on
okay,
darren
you've
got
three
pr
you'd
like
us
to
take
a
look
at.
Does
anybody
have
anything
else
to
add
to
the
agenda
before
we
just
move
on
to
the
the
kind
of
working
meeting
part.
A
Hey
all
right,
moving
moving
moving
quite
along,
let's
start
with
70
29.
G
I
think
all
of
these
prs
are
mainly
waiting
for
yeah
to
comment
on
them.
Unfortunately,
it
doesn't
look
like
kapil
is
here,
so
I
don't
know
if
anyone
else
here
can
take
a
look,
give
additional
feedback
or
what,
but
most
of
these
you
know,
I'm
mainly
just
waiting
for
feedback
and
to
me
review.
A
A
Okay,
I
will
follow
up
with
him
individually,
then
right
after
this
meeting.
Is
it
just
a
three.
F
C
I
would
say
so
of
those
three,
though
I
mean
there's
been
and
I
saw
todd
joined
too.
I
know,
there's
been
a
few
of
us
commenting
on
that.
Second
one,
the
771-29
and
then
71-37.
It
looks
like
there's
no
comments
on
it.
I'm
happy
to
take
a
look
at
it.
I
don't
know
if
I'll
have.
A
A
G
A
Yeah,
ideally,
what
I'd
like
to
do
have
at
least
one
other
person
in
that
can
merge
things
so
that
when
kapil
is
out
of
band
from
working
on
custodian,
we
don't
kind
of
grind
to
a
hall
like
like
we're
currently
right
now,
but
yeah.
I
I
hear
you
I
I
understand
I'll
see
if
I
can
at
least
get
you
comments
or
some
kind
of
movement
today
on
that.
C
If
there's
anything
folks
in
this,
like
71
29,
it
feels
like
because
it's
a
mix,
it's
kind
of
bumping
into
something
that
was
that
existed
a
while
back
that
seemed
to
kind
of
stall
out,
but
it
had
that
that
was
about
the
the
cider
cider
handling.
C
A
And
I
know
we're
planning
on
having
sunny
start
working
full
time
for
a
while,
at
least
on
custodian,
so
hopefully
that'll
give
us
another
another
brain
in
there
once
he
gets
up
to
speed,
so
I'm
kind
of
hoping
to
just
youtube
bounce
off
each
other
and
hopefully
that
that
will
help
clean
up
some
of
the
roblox
we're
having
all
right.
So
these
three
and
anything
else
on
these
three
other
than.
G
For
those
three,
mainly
just
top
two
waiting
for
kapil
the
last
one
waiting
for
any
comments
from
anybody,
I
guess
gotcha.
G
And
then
I
also
have
more
stuff
to
discuss
on
gcp.
I
brought
it
up
last
time,
there's
more
issue
now,
but
I
can't
wait
for
that
at
the
end
I'll.
Let
other
people
chat
about
other
things.
First,
I'll
save.
F
That
for
you,
okay,
do
we
want
to
move
on
then
to
7112.
H
C
Yeah
we've
had,
and
this
this
there
was
another
related
pr.
Another
related
issue
on
this
there's
the
deal
here
was
that
people
were
hitting
a
too
many
principles
issue
when
they
were
running
run.
The
I
am
the
the
check
permissions
against
policies
where
there
were
multiple
principal
types,
at
least
that's
what
it
looks
like.
No
one
had
we
hadn't
gotten
any
failing
tests
or
anything
from
from
the
people
who
reported
the
issue.
They
just
said
it's
a
rare
issue,
but
they
add
in
they
added.
H
C
Some
definitely
failing
tests
and
then
tried
to
fix
them,
but
it
involved
some
logic
tweaks.
So
I'm
just
it
was
more
if
anyone
is
actively
using
these
filters
and
can
help
poke
holes.
In
my
logic,
that
would
be
handy
and
the
idea
was
before
we
had
this
whole
little
chain.
There
was
an
assertion
in
there
saying
if
you
had
more
than
one
principle
type
other
than
service,
the
policy
would
just
bomb
and
it
looked
like
it
was
because
it
was
checking
to
see.
C
C
Well,
yes,
that's
that's
the
hope,
but
see
and
todd,
I'm
glad
to
hear
it,
because
there
are
some
of
these
where
you'll
say:
oh,
you
know,
I
see
what
you're
doing
there,
but
that's
going
to
break
in
this
other
case
and
I
ran
into
it
a
couple
years
ago
and
went
way
too
deep
into
a
hole.
So
so
those
kind
of
inputs
are
awesome.
C
E
C
Is
it
that
pr
has
a
little
bit
weird?
The
security
hub
fix,
I
think,
is
actually
pretty
straightforward.
I
think
that
one
was
just
a
retry
okay,
it
was
more,
it
was
like,
oh
and
I
am,
and
that
was
where
the
the
trickier
bit
was
with
okay,
yeah
and
we've
had
a
couple
people
who
have
said.
Oh
I'm
running
a
policy,
and
I
hit
this
thing.
I
get
this
error
about
too
many
principles
and
the
problem
is
that
we're
asserting
that
there
are
too
many
principles.
C
So
let's
just
delete
that
assertion
which
which
works,
but
then
it
just
silently
fails
so
we're
trying
to
keep
it
from
keep
that
from
happening.
Yeah
yeah,
it
was
more.
Have
you
seen
that
have
any
of
you
seen
that
issue
come
up
when
you
try
to
run
these
those
check
permissions,
type
policies.
E
Sadly,
I
have
not
had
great
use
of
check
promotions
policies
yet
so
I
haven't
run
into
this
problem
yet,
but
cool
I'm
interested
to
look
and
see
what
you're,
what
you're
fixing
so
I'll
take
a
look.
E
C
E
I
know
at
one
point
I
started
looking
at
this
because
I'm
looking
at
what
capabilities
were
there
and
how
how
much
support
custodian
had
in,
in
understanding
all
the
various
conditions
that
you
can
put
on
policies
and
all
that
stuff,
because
we
use
that
a
lot-
and
I
remember
looking
at
this-
going.
Oh
yeah
custodian's,
going
to
blow
up
on
all
of
our
stuff
like
it's
there's,
not
enough
support
here,
and
I
didn't
look
at
it
much
after
that.
So.
A
It's
the
only
way
with
cloud:
okay
did
you
have?
Was
there
any
other
one
of
these
pr's
that
you
had
in
mind
aj
I'd
like
to
go
over
the
just
a
road
map,
real
quick?
If
we
can.
C
Yeah,
the
only
I'm
trying
to
see
the
only
other
one
that
jumps
out
is
that
rds
consecutive
daily
snapshot
that
one
seemed
interesting.
I
was
kind
of
surprised
that
it
was
a
new
one
and
that
one
yeah,
I
think
it
just
ties
into
the
cla
stuff
it
slapped
yeah.
G
That
one
is
actually
from
into
it
too
on
it.
Thank
you
for
the
feedback.
Aj,
we'll
fixing
it
right
now
and
we'll
probably
have
an
update
soon,.
G
A
A
B
Cool
and
then.
A
Just
go
to
just
clock
custodian,
the
github
or
top
left
over
here,
yep
and.
B
A
A
A
Obviously
we
have
to
have
a
roadmap,
that's
like
public
and
all
that
kind
of
good,
open
source
stuff.
So
kapil
went
through
and
we
kind
of
did
a
first
stab
at
what
he
thinks
of
romack
yeah.
You
can
click
through
liz.
A
There
you
go
and
then,
if
you
click
on
view
that
first
tab.
A
And
then
you
can
change
it
to
a
board.
You
can
you
can
mangle
this,
however,
you
want,
but
basically
this
is
going
to
be
now
the
kind
of
top
level
project
board
for
custodian.
Kapil's
basically
said
you
know,
here's
what
I'm
thinking
we
should
do
so.
I
kind
of
wanted
to
let
everyone
know
that
we
have
this
now,
so
we
can
kind
of
look
at
it
on
the
regular
I'm
planning
on
you
know,
once
we
get
a
few
more
things
in
here
and
kind
of
organize
it
a
little
bit
better.
A
This
is
something
that
we'll
look
at
maybe
every
other
month.
Something
and
then
have
people
nominate
things
that
they
want
to
see
on
there
that
sort
of
stuff.
So
I
mostly
just
wanted
to
point
that
out
that
this
is
kind
of
an
aspirational
thing
that
we're
going
to
try
to
do
if
you've
been
around
an
open
source.
I
know
it
could
be
difficult
for
some
projects.
A
A
Any
comments
on
this
or
tips,
or
anything
they'd
like
to
see
on
here,
I'm
sure
everyone's
going
to
have
their
favorite
things
that
they'd
like
to
see
on
here,
which
we
definitely
want
to
look
at
how
we
can
have
like
a
feature
process
and
that
kind
of
stuff
so
comments.
I
was
just
going
to
move
on
to
other
pr's
here.
If
everyone's
just
like
sounds
good
to
me,.
A
Says
aj
wants
this
thing
on
the
roadmap,
but
aj
says
I
want
to
handle
it
right
and
then
that
would
be
like
yours,
but
we
might
also
have
a
backlog
of
things
that
we
want
to
have,
but
we
might
have
not
enough
resources
and
then
that
becomes
kind
of
the
the
backlog
so
that
when
we
do
write
and
finish
a
contributor
guide,
that
could
be
like
a
first
hit
list.
I
guess
is
what
I
would
say
of
you
know
cards
that
they
want
to
use.
Does
that
make
sense?
A
E
A
Not
right
so
currently,
what
we
did
is
we're
basically
picking
issues
and
you
can
put
them
on
there.
What
we
need
to
get
to
over
the
course
of
the
years
have
an
actual
feature
proposal
like
a
cap
or
a
pep
style.
A
You
know
template
where
you
write
up
what
the
feature
is
going
to
be,
and
then
that
becomes
kind
of
more
of
a
high
level
board
thing
as
opposed
to
just
you
know.
I
filed
an
issue,
oh,
that
that
looks
good
for
the
next
quarter
and
then
you
targeted
ports
towards
the
roadmap.
Does
that
make
sense.
A
Right
right,
so,
when
I
started
computer
was
like,
we
need
to
figure
out
a
way
for
us
to
propose
features
right,
but
we
didn't
want
to
do
like
a
full-on
process.
That's
like
you
know
it's
like
an
entire
form.
Like
people
work
on
it
for
weeks,
then
they
do
this
huge
pull
request,
but
we
also
didn't
want
to
have
too
much
of
an
ad
hoc.
A
You
know
hey.
I
just
made
this
up,
and
now
I'm
gonna
pr
as
well,
so
we
we,
we
were
kind
of
working
towards
getting
a
template-ish
that
looks
like
that.
It
just
kind
of
fell
off
the
plate,
and
then
we
had
to
get
the
board
kind
of
organized
and
we
hadn't
touched
it
since
june.
So
in
at
the
end
of
last
october,
when
we
did
the
kind
of
state
of
custodian,
we
did
the
state
of
custodian,
but
the
board
didn't
reflect
all
of
the
stuff
that
we
mentioned
it.
A
A
A
I
will
definitely
work
that
road
map
and
feature
process
needs
work
that
might
that
might
be
what
I
do
for
the
sprint.
Okay,
and
with
that
we
had
the
pr's
and
issues
open.
This
is
anything
jumping
out
at
everyone.
I
don't.
We
know
we
don't
like
to
sit
here
and
just
read
through
each
one,
because
that
gets
boring,
really
quick,
but
if
there's
something
jumping
out
of
anybody
and
if
not
darren
has
a
gcp,
is
this
gcp
behavior
continued
from
the
yeah?
A
What
number
was
that
we
might
want
to
toss
that
one
or
is
that
a
new?
Is
it
a
new
issue?
G
A
So
this
is
the
one
where
darren
just
for
people
who
are
on
the
video
or
you
know,
aren't
familiar
with
the
issue.
A
G
Into
it,
we
have
lots
and
lots
of
aws
account
hundred
thousand
actually,
where
we
have
a
central
control
plan,
account
where
we
run
custodian
and
we
set
up
iam
role
with
trusted
relationship
on
all
of
what
we
call
target
accounts
and
that's
how
we
then
essentially
run
custodian
to
then
deploy
different
policies
to
all
of
our
accounts
that
belong
to
into
it.
And
now,
as
we
venture
over
to
gcp
again,
we
foresee
us
having
a
bunch
of
equivalence
of
accounts
in
gcp
as
well.
They
call
it
projects
instead
of
account
but
yeah.
G
It's
the
same
thing.
We
do,
however,
again
have
what
we
call
the
control
player,
paying
account
in
gcp,
and
the
recommendation
that
gcp
and
even
cropper,
stolen
too,
is
to
set
up
what
is
called
workload,
identity
pool
so
that
we
can
run
cloud
custodian
from
aws
and
have
it
authenticated.
G
It's
like
federated
identity.
If
you
want
to
think
about
that
way,
and
then
from
there,
we
have
what
what
is
the
service
account
that
have
permission
to
then
deploy
the
policies
to
all
the
different
target
projects.
So,
for
example,
you
know
setting
up
cloud
functions,
scheduler
to
run
the
the
policies,
so
the
current
or
the
initial
problem
that
we
ran
into.
G
Actually,
maybe
this
will
be
a
better.
This
is
a
more
detailed
view
of
what
happens
behind
the
scene
with
cloud
custodian
and
gcp.
G
So
this
is
how
we
run
cloud
custodian
on
aws
and
have
it
deploy
things
to
a
gcp
project
right.
First,
we
do
export
google
application,
credential
keypad,
just
a
path
to
where
the
configuration
file
that
set
up
the
the
workload
identity
pool.
I
guess
potential.
The
credential
is
not
there,
but
it
has
a
configuration
for
where
to
talk
to
for
retrieving
the
credential.
G
G
Even
if
you
look
inside
the
code
itself
here,
this
is
cloud
custodian
code.
When
we
set
up
the
when
we
make
the
call
to
set
up
the
credential
is
quote
a
project.
G
Taking
a
step
back,
what
does
this
even
do
setting
the
quota
project
to
be
the
target
project?
I
don't
think
it
should
be
setting
the
target
project
to
be
the
quota
project
by
default.
Whatever
you
run
on
that's
going
to
be
the
quota
project,
if
you
want
it
to
be
something
else,
then
yeah
you
can
set
it,
but
why
here
you're
setting
it
to
itself?
D
Yeah,
this
is
just
you
know,
as
darren
explains
default,
gcp
behavior.
So,
for
instance,
things
like
api
throttling
will
happen
within
that
boundary.
So,
for
instance,
even
if
you
obtain
service
accounts,
they
all
be
under
the
same
throttle
right
in
that
project.
If
you
change
that
scope
so
to
speak
to
another
project,
then
again,
you
know
the
throttling
will
happen
that
project
yeah.
So
it's
sort
of
basically
default
behavior.
You
can
override
it,
of
course,
like
darren
said,
but
but.
G
Right
here
we
are
overriding
it
to
be
the
target
project,
but
I'm
saying
that
doesn't
make
sense
because
by
by
default,
wait
the
oh
you're
talking
about
the
throttling
of
api.
I
was
talking
about
the
quota
of
the
resources.
D
Yeah,
because
the
way
gcp
does
the
boundary
of
throttling
is
by
the
project,
boundary
yeah.
I
G
D
G
D
So
the
challenge
we
have
is
we
have
to
create,
like
a
you
know,
we're
right
where
we
are,
but
we
have
many
projects
each
with
a
single
service
account
that
we
use
divide
and
conquer
our
hierarchy,
because
otherwise
we
just
run
out
of
calls
and
get
massively
throttled.
No,
if
you
have
a
few
hundred
projects,
you're,
okay,
but
we
have
so.
D
Oh
yeah
quickly,
if
you,
if
you
under
a
thousand
projects,
don't
worry
about
this,
but
if
you're
like
us
and
tens
of
thousands
of
projects
this
this
is
necessary
to
use
that
particular
target
project's
bucket
of
quota.
Now
it
has
high
risk,
meaning
if
there's
a
production
project
and
you
saturate
say,
for
instance,
the
im
or
the
resource
manager
api,
which
is
the
one
you
hit
the
hardest.
D
Then
it
is
possible
that
you
potentially
could
impact.
You
know
a
production
workload,
so
it
requires
yeah
I'll,
be
honest
with
you.
We
don't
have
really
good
strategy
at
that
scale.
That's
why
I've
been
asking
begging
playing
willing
to
crowdfund
using
cloud
asset
inventory
because
at
scale
that's
the
only
solution
you
have
hitting
the
apis
is
okay.
I
would
say
up
to
a
thousand
projects
you're
not
going
to
sweat
it
like,
for
instance,
you
can
pull
a
thousand
projects
with
a
single
api
call
out
of
resource
manager.
D
It's
metadata,
they're,
very
generous,
but
the
moment
you
get
into,
I
would
say:
10
000,
plus
projects,
you're
gonna,
find
custodian,
just
crash
and
burn
hard,
and
it's
because
of
you
know.
Right
now.
D
I
have
another
another
issue
out
where
the
gcp
project
resource
doesn't
behave,
as
you
would
expect
like
it
does
in
aws.
D
When
you
call
it,
it
literally
pulls
out
all
the
projects
that
your
service
principal
has
access
to.
You
know
an
org,
you
have,
let's
say
10
000
projects
that
you
can
see.
Yeah.
Of
course
you
know
that
thing
just
times
out
after
30
minutes,
and
so
that's
the
one
thing
that
I
think
kappel
talked.
We
talked
about
probably
two
meetings
ago.
Maybe
three,
all
right,
you
can
maybe
keep
me
honest,
but
kapol
was
saying,
is
to
ensure
that
the
expected
behavior
of
gcp
project
is
like
a
singleton
and
behaves
like
a
database.
D
G
I
thought
with
the
api
with
gcp
it
typically
scoped
down
to
go
down
to.
D
What
your
principal
can
see
so,
for
instance,
if
you
have
like
you,
know
a
service
account
at
the
org
level
right
say
with
security
audit
privileges,
which
would
make
sense
for
something
like
gcp.
D
No,
that
kills
you
when
you,
like,
I
say
hey.
I
did
not
know
that
the
problem
really
is
not
a
thousand
project
below
problem.
You
would
really
it
does
just
sit
there
for
a
long
time
and
finish,
but
we
on
the
tens
of
thousands
of
projects
in
a
single
org
and
many
orgs.
So
we
have
a
problem
where
it
needs
to
behave
like
a
singleton
and
so
what
what
we
do
is
we
divide
and
conquer
the
hierarchy.
D
So
we
have
about
five
layers
of
folders,
and
so
we
just
break
one
folder
at
a
time
and
run
policies
from
that
folder.
You
know
hierarchically
it
down,
but
the
the
solution.
The
long-term
solution
is
cloud
acid
inventory
for
sure
that
would
literally
unleash
the
power
of
bigquery
and
make
this
blazingly
fast,
because
everything
that
you
need
is
in
two
cloud
and
inventories.
One
is
all
the
actual
resources.
There's
storage,
whatever
the
other
bigquery
set,
is
all
the
im
data.
D
Like
all
your
roles,
policies,
permissions
everything
is
in
the
bq
set
and
even
at
our
scale,
queries
come
back
in
seconds
right
for
the
whole
org.
Even
you
know,
I
don't
know
we
right
now.
Just
cleared
80
000
active
projects,
not
biggest
org,
so
cloud
asset
inventory
is
definitely
the
way
to
go.
There's
another
pr
for
that,
but
yeah.
I
think
that
speaks
to
the
two
challenges.
Right
now
is
gcp
project
does
not
behave
like
you
know,
aws
account
right
now.
That's
a
challenge.
D
D
So,
oh
that
I
need
the
prefix
we're
using
c7
org
we're
not
not
using.
You
know,
just
audiences.
D
Yeah,
I
don't
know
if
you're
using
c7
org
or
if
you
just
okay
yeah.
I
think
if
you
just
run
custodian
essays,
you're
going
to
be
fine
because
everything's
going
to
run
in
your
environment.
You
know,
like
you,
have
a
google
cloud
project,
but
you
run
with
c7
org,
then
that
that's
what
the
challenge
is
but
to
write
a
policy
like
gcp
project.
You
want
to
just
say,
for
instance,
call
all
owner
and
editor
roles
in
your
project,
then
what
will
do
it
will
actually
pull?
First,
all
your
projects
down.
D
You
know
that
that
account
has
access
and
then
it
would
run
through.
You
know
all
the
im
bindings
right
for
that
project
and
of
course
this
is
massive
in
size.
If
you
have
thousands
of
projects,
so
I
guess
it's
more
c7
org
shortcoming
than
any.
D
Custodian
right
and
if
you
bring
up
a
good
point
darren,
I
never
considered
that,
but
to
probably
stop
using
c7,
org
and
sort
of
build
our
own
c7
orc.
That
still
runs
with
the
projects
of
yaml,
but
every
time
basically
set
on
violent.
E
G
D
D
For
instance,
compute
api
is
not
enabled
another
optimization
we
did
is
go
through
the
projects
and
check
whether
all
the
apis
are
enabled
and
then
adding
variables
or
actually
tags
in
the
project.yaml.
D
And
then,
when
we
run
today
with
cc.org,
you
know
we
just
run
against
projects
that
have
say
the
compute
api
enabled,
because
that
dramatically,
you
know,
speeds
up
right
the
performance,
because
you
know
let's
say
we
only
have
about
25
000
projects
that
have
computer
api
enabled.
So
we
can
not
skip
the
rest
because
it
does
slow
down.
You
know
hitting
a
404
right
on
all
the
apis.
You
know
trying
to
run,
you
know,
run
the
queries
and
authenticate.
E
G
G
Side
what
we
will
have
to
do,
though,
is
we
have
to
grant
this
commission
here
to.
F
G
D
Yeah,
that's
what
we
did.
We
created
a
service
account
in
our
like
you
have
your
control
project
like
the
tcp
control,
and
then
we
granted
that
service
account
the
security
audit
built-in
permission
from
gcp
and
therefore
we
can
effectively
query
any
security
metrics.
But
it's
a
read-only
role
so.
G
D
D
Yeah
you're,
basically
assuming
oh
I'm,
trying
to
think
about
the
name.
They
call
it,
but
you
can
use
effectively
one
principle:
you
know
to
assume
another
principle.
D
So,
generally,
you
would
see
that
you
know
say:
don't
use
the
default.
It
was
just
a
big
exploit
on
this.
Using
the
default
compute
service
account
rather
have
a
specific
service
account
that
you
assume,
when
you
perform
computer
operations
but
yeah,
so
they
have
that
almost
like.
I
am
role
that
you
assume
you
can
assume
another
principle
from
you
know
if
you
have
the
right
permission,
there's
a
permission
almost
like
sds
assume
role
is
information
that
allows
you
to
assume
other
entities
and
again
ours.
D
Again,
we've
granted
right
at
the
org
level,
and
so
that
you
know
allows
us.
You
know
we
don't
have
to
deal
with
any
permissions
at
you
know
a
lower
level,
okay,
but
you're
right.
We,
we
haven't
done
what
you
just
mentioned
here,
like
change
that
http
header
to
that
so
way
we
run
an
issues.
Is
we
are
calling
things
like
resource
manager
too
much
so
far,
we
okay
on
other
apis,
because
we
partitioned
you
know
like
we
basically
shorted
our
run
to
at
run
at
different
node
levels
in
hierarchy.
D
It's
not
ideal,
but.
D
Yeah
but
you'll
see,
if
you
look
at
cloud
asset
inventory,
it
is
for
sure
the
the
solution
for
the
future
capel
mentioned
that
it
could
be
another
mode
like
configures
for
aws.
E
D
It
could
be
that
cai,
which
is
abbreviation
for
it.
It
could
be
another
mode
and
that
would
just
improve
the
performance
and
orders
of
magnitude.
I
mean
it's
not
even
comparison,
you'll
be
able
to
pull
out
data
in
seconds
that
now
will
take.
Who
knows
how
long
to
pull
out
from
the
apis.
D
D
G
More
yeah.
D
Yeah,
I'm
sure
about
ten
thousand
now
but
yeah,
at
least
in
several
orcs.
So
we
like
have
that
charted,
but
yeah
we
have
one
big
gcp
organ.
There
are
two
things
that
really
are
hiring
us:
the
gcp
project
resource,
that's
not
a
singleton
and
then
not
able
to
call
in
cloud
as
an
inventory.
D
That
truly
is
the
solution
just
to
leverage
bigquery
and
leverage,
basically
just
be
doing
all
the
hard
work
by
fetching
the
metadata
and
dumping
it
in
a
bq
table
for
you
that
that
is
a
huge
help,
yeah
but
like
couples.
So
that
would
be
another
mode
to
be
supported.
You
know
in
in
in
gcp
I
don't
have
the
chops
to
build
it,
as
I
would.
D
Yeah
and
then
let
me
call,
I
don't
know
if
I
pulled
the
one
for
the
gcp
project-
that
one
really
hurts
trying
to
pull
out
im
information
in
gcp.
D
D
D
It
anytime,
let
me
just
quickly
find
it
gcp
project
yeah,
but
I
think
I
like
your
strategy
down,
maybe
not
roll
with
c7
or
right
now,
but
I'll
write
my
own
rapper
c7
org
and
then
be
able
to
scope
it
down
to
the
project
that
actually
yeah.
It's
seven
one,
one,
nine!
Let
me
just
put
them
in
the
chat.
D
D
D
I
haven't
measured
it,
but
I
think
once
you
eat
ten
thousand
projects,
you're
gonna
be
toast.
Unless
you
do
something
really
fancy
like
well
fancy
brute
force
like
we
do,
we
basically
assign
a
service
account,
so
we
have
about.
I
don't
know,
I
think
20
projects
each
only
having
a
service
account
and
we're
using
that
service
account
to
share
the
runs
just
so
we
consume
a
different
service,
account
different
projects.
D
Caught
up
capacity
hit
resource
manager
because
resource
manager
is
sort
of
like
I'm
going
to
call
it.
I
am,
but
that's
where
you
get
the
bindings
which
you
need
and
that
you
know
the
iron
bindings
and
that's
also
where
you
get
the
labels
for
your
project,
because
the
challenge
you
have
in
gcp
that's
another
thing
for
you.
D
D
So
the
project
labels
are
really
important
for
us
and
so
that's
all
resource
manager.
But
today
it's
impossible
to
use
c7
work
as
it
is
today.
D
A
Oh
yeah
next
release
that
should
be
due
soon
aj.
I
I
know
we
had
talked
about
you
possibly
doing
the
next
one.
Have
we
sync
with
kapil
on
this
or
is
it
going
to
be
sunny
again?
I
know
we're
too
early
early.
A
A
But
okay
so
you're
like
it's
definitely
not
me.
Yeah.
C
A
E
C
Was
a
tough
start,
so
we
can.
We
can
come
back
with
triumph
the
next
time.
A
E
Other
question
before
we
fail,
if
you
have
time
sure
I
ran
across
this
this
weekend,
where
I
wanted
to
use
copy
related
tags
on
a
resource
where
the
related
resource
was
not
a
supported
resource,
but
it
is,
but
I
have
a
list
of
arms
that
you
can
get
the
tags
out
of
the
resource
groups
tagging
api
right,
like
is,
am
I
missing?
Something
was
my
first
question
like:
is
there
already
some
way
to
pull
tags
via
the
resource
groups
tagging
api?
E
To
do
this,
which
didn't
look
like
it
and
b?
Should
we
support
that
as
a
generic
mechanism
for
copying
tags
instead
of
relying
on
full
resource
support,
or
is
that
the
wrong
direction
or
what
are
what
are
folks
thoughts
on
that?
I
was
going
to
file
a
ticket
to
like
open
discussion,
but
since
we're
talking
here
anyway-
and
I
was
just
thinking
about
it
like.
C
Sounds
interesting:
I
have
no
no
ideas
off
the
cuff,
but
it
sounds
like
an
interesting.
I'm
sure.
Other
folks
would
want
to
do
something
similar.
E
Yeah,
I
wasn't
sure,
if
maybe
the
did,
I
see
on
your
project
board
that
that
kapil
had
moved
the
cloud
control
provider
thing
into
more
of
like
its
kind
of
working
state.
Was
that
true?
Like?
Would
this
be
something
like
if
I
use
that
that
you
could,
because
all
I'm
doing
is
trying
to
tag
instances
that
image
builder
spins
up
when
image
builder
runs?
It
doesn't
tag
the
instance
used
to
build
an
ami,
it's
stupid,
and
so
I'm
just
trying
to
copy
tags
from
the
ami
builder
project
right
and
it's
like
okay.
E
Well,
I
could
go
add
support
for
image
builder
as
a
resource
which
just
has
tagging
support,
or
something
like
right
and
feed
it
in.
But
it
seems
like
a
better
generic
solution
since
there's
all
kinds
of
you
know
long
tail
type,
resources
that
are
supported
by
the
resource
groups,
tagging
api.
C
Yeah,
I
know
the
idea
like
separate
from
copy
related
tags.
I
know
the
idea
of
supporting
resource
group
stacking
api
is
like
a
top
level.
Resource
has
come
up
in
the
past,
so
you
could
have
that
sort
of
cross
resource
tag,
filters
and
actions.
Yeah
viewers
get
those
questions
like.
Oh
can
I
write
a
policy
that
targets
multiple
resource
types
and
all
I
want
to
do
is
check
tags
or
all
I
want
to
do
is
fix
tags,
so
I
don't
know
if
that
this
would
fit
under
that
sort
of
umbrella.
B
C
A
Up
all
right,
everyone
thanks
and
we'll
we'll
see
you
all
in
two
weeks
and
then
keep
on
rocking
cheers
thanks
thanks.