for risk control reasons we need to have scripts to get information of all admin roles, and people who are members of those admin roles. Note, I am specifically talking about "admin roles" (built in and custom) e.g. super admin, not the standard roles that are granted to people within a project, etc. I have not found a gcloud command that will provide this info. Additionally, I don't want to run this script as super admin - I can create a custom role, but could not determine the privileges this roles would need to get read-only access to this information.
If there is another non gcloud script way of doing this, I am open to it, but gcloud would be the easiest to get working I think.
Any help would be highly appreciated.
Fas
Reviewed documentation for gcloud but not luck
CodePudding user response:
There is no command that will meet your requirements. You will need to write a custom program.
You must parse the policy bindings for both the project and each resource that supports IAM bindings. Then there are inherited permissions from the ORG and Folder levels. This can quickly get complicated and will require a solid understanding of authorization control in Google Cloud.
Each Google Cloud Resource has its own set of permissions. You must create a list of each admin-level IAM role and parse each custom role to determine if they have your definition of admin-level permissions.
A common mistake is that only the project IAM bindings are checked. Many resources support IAM bindings, which are authorization backdoors if managed incorrectly.
Start by reviewing this page to see the list of IAM roles and permissions:
IAM basic and predefined roles reference
CodePudding user response:
You can use gcloud
command with get-iam-policy
:
gcloud projects get-iam-policy ${project_id} \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role=roles/owner"
The filter
argument allows to filter on a needed field, I used bindings.role=roles/owner
in this example.
flatten
and format
arguments allows to recover members.
This command allows displaying the members having the roles/owner
.
You can list the expected roles for which you want to retrieve the members :
#!/bin/bash
declare -a StringArray=("roles/owner" "roles/my_custom_role" )
# Iterate over roles
for role in ${StringArray[@]}; do
gcloud projects get-iam-policy ${project_id} \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role=${role}"
done