List ALL users of GCP account/Organization

Question

I have an organization in GCP with multiple projects in it.

Is there any way to list ALL project users and their roles without having to access project by project?

I was using gcloud projects get-iam-policy PROJECTNAME, but list users for a single project, and I have a few hundreds.

Thanks.

Answer 1

Since Google Cloud Shell CLI changed default output (I'm using Google Cloud SDK 406.0.0), I had to craft own script to be able to get a CSV with all accounts in all projects for review in a spreadsheet editor:

for i in $(gcloud projects list --format="table(projectId)" | cut -f2 -d$' ' |  sed '/^$/d'); do 
    echo "Project $i,";
    gcloud projects get-iam-policy $i --flatten="bindings[].members[]" --format="csv[no-heading](bindings.members,bindings.role)";
done;

Answer 2

You can use the following command to search all the IAM policies for organizations/folders/projects within your org:

gcloud beta asset search-all-iam-policies --scope=organizations/123 --query="resource:*//cloudresourcemanager*"

You can change the scope to a folder or a project.

You must have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies

It doesn't cover all the policies though: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

Answer 3

You can use the following command in the Cloud Shell to fetch all projects and then show the iam-policy for each of them:

for i in $(gcloud projects list |  sed 1d | cut -f1 -d$' '); do 
    gcloud projects get-iam-policy $i;
done;

A few clarifications about the command:

• sed 1d removes the first row which will contain the following headers:

  PROJECT_ID | NAME | PROJECT_NUMBER

• cut -f1 -d$' ' will fetch the first column, which is the PROJECT_ID that will be passed to the gcloud projects get-iam-policy command

EDIT

As you wanted to get the results in a PROJECT | MEMBERS | ROLE style, you can use the following which will create a .csv file for each project with the following structure inside: ROLES | MEMBERS. Each fille will be named PROJECT_ID.csv

• Roles: Current role owned by the followed list of members

• Members: List of members who own the role

for i in $(gcloud projects list |  sed 1d | cut -f1 -d$' '); do
    echo "Getting IAM policies for project:" $i;
    echo "..........";
    (echo "ROLES,MEMBERS" && paste -d "," <(printf %s "$(gcloud projects get-iam-policy $i | yq '.bindings | .[].role' | cut -d "\"" -f2)") <(printf %s "$(gcloud projects get-iam-policy $i | yq '.bindings | .[].members | join(",")' | cut -d"\"" -f2)")) | cat >> $i.csv
 
    echo "Done. Logs created at file" $i.csv;
    echo "--------------------------------"
done;

The only requirement that may be needed to install here is yq, which you can install in your shell.

EDIT 2:

As requested in the comments, all the information output will go to the same .csv file following the format: PROJECT_ID | ROLE | MEMBERS

echo "PROJECT_ID,ROLES,MEMBERS" | cat >> output.csv
for i in $(gcloud projects list |  sed 1d | cut -f1 -d$' '); do
    echo "Getting IAM policies for project:" $i;
    echo "..........";
    paste -d "," <(printf %s "$(for j in $(seq 1 $(gcloud projects get-iam-policy $i | yq '.bindings | .[].role' | cut -d "\"" -f2 | wc -l)); do echo $i; done;)") <(printf %s "$(gcloud projects get-iam-policy $i | yq '.bindings | .[].role' | cut -d "\"" -f2)") <(printf %s "$(gcloud projects get-iam-policy $i | yq '.bindings | .[].members | join(",")' | cut -d"\"" -f2)") | cat >> output.csv
 
    echo "Done. Logs created at file" $output.csv;
    echo "--------------------------------"
done;

Answer 4

Is there any way to list ALL project users and their roles without having to access project by project?

No, you will need to scan organizations, folders, projects, and resources to obtain a complete list of all IAM members with access to cloud resources. Scanning just projects will not give you a complete list.