Home > Blockchain >  GCP - gcloud commands to retrieve admin roles and member info
GCP - gcloud commands to retrieve admin roles and member info

Time:12-09

for risk control reasons we need to have scripts to get information of all admin roles, and people who are members of those admin roles. Note, I am specifically talking about "admin roles" (built in and custom) e.g. super admin, not the standard roles that are granted to people within a project, etc. I have not found a gcloud command that will provide this info. Additionally, I don't want to run this script as super admin - I can create a custom role, but could not determine the privileges this roles would need to get read-only access to this information.

If there is another non gcloud script way of doing this, I am open to it, but gcloud would be the easiest to get working I think.

Any help would be highly appreciated.

Fas

Reviewed documentation for gcloud but not luck

CodePudding user response:

There is no command that will meet your requirements. You will need to write a custom program.

You must parse the policy bindings for both the project and each resource that supports IAM bindings. Then there are inherited permissions from the ORG and Folder levels. This can quickly get complicated and will require a solid understanding of authorization control in Google Cloud.

Each Google Cloud Resource has its own set of permissions. You must create a list of each admin-level IAM role and parse each custom role to determine if they have your definition of admin-level permissions.

A common mistake is that only the project IAM bindings are checked. Many resources support IAM bindings, which are authorization backdoors if managed incorrectly.

Start by reviewing this page to see the list of IAM roles and permissions:

IAM basic and predefined roles reference

CodePudding user response:

You can use gcloud command with get-iam-policy :

gcloud projects get-iam-policy ${project_id} \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role=roles/owner"

The filter argument allows to filter on a needed field, I used bindings.role=roles/owner in this example.

flatten and format arguments allows to recover members.

This command allows displaying the members having the roles/owner.

You can list the expected roles for which you want to retrieve the members :

#!/bin/bash

declare -a StringArray=("roles/owner" "roles/my_custom_role" )
 
# Iterate over roles
for role in ${StringArray[@]}; do
   gcloud projects get-iam-policy ${project_id} \
      --flatten="bindings[].members" \
      --format="table(bindings.members)" \
      --filter="bindings.role=${role}"
done

Page link:https//www.codepudding.com/Blockchain/636992.html

Prev:What does the hexadecimal value obtained by printing the name of a function mean?
Next:Microsoft Azure: Conditional Access: How would I enforce intune MDM but allow AVD RDP from personal
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding