Reputation: 273
How can i list all resources across my whole GCP estate that have a specific role?
I can identify all resources with the role Owner in a project by using the following command;
gcloud projects get-iam-policy <PROJECTID> --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"
To run this command across all projects, I thought this might work but it doesn't...
for i in $(gcloud projects list | awk '{print $1}' | awk 'NR>1'); do echo PROJECT: $i && echo "--" && gcloud projects get-iam-policy --project=$i --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"
Any suggestions?
Upvotes: 2
Views: 1805
Answers (3)
Reputation: 1184
You can use search-all-iam-policies to search all the IAM policies set on folders or projects within your organization.
To find out who has the role Owner:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:roles/owner"
To find out whether Amy has the role Owner:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:(roles/owner [email protected])"
To find out whether any gmail account has the role Owner:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:(roles/owner *gmail*)"
You can change the scope to a folder or a project. You must have the cloudasset.assets.searchAllIamPolicies permission upon the scope, which is included in the following roles:
- roles/cloudasset.viewer
- roles/cloudasset.owner
- roles/viewer
- roles/editor
- roles/owner
Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies
Supported resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
Upvotes: 0
Reputation: 273
I finally figured it out (I didn't close the loop - just needed ;done at the end)
Thought i would share this in case anyone else needs it in the future:
for i in $(gcloud projects list | awk '{print $1}' | awk 'NR>1'); do echo PROJECT: $i && echo "--" && gcloud projects get-iam-policy $i --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"; done
Upvotes: 2
Reputation: 938
You are on the right track. I used the following script that I have from a friend to print all the projects that a certain email or service account has a specific role on.
It does take a lot of time to execute but it gets it done, I just tested it.
for i in $(gcloud projects list | sed 's/|/ /' | awk '{if (NR!=1) print $1}'); do if gcloud projects get-iam-policy "$i" --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner" | grep -q '[USER_OR_SERVICE_ACCOUNT]'; then echo "$i"; fi; done 2> /dev/null
Hope this helps.
Upvotes: 0
Related Questions
- How to list all the IAM roles that include a given permission in GCP
- How do I list the roles associated with a gcp service account?
- How to list all IAM principals and roles from Google Cloud IAM across multi projects / folders?
- How to get all roles/permissions that a service account have for a project and organization in GCP through API
- In GCP, how to list all the resources running under project?
- How to Identify the current roles/permissions used in GCP projects?
- List all grantable roles in my GCP environment
- Is it possible to view a list of all resources with a specific permission?
- Can I get a list of all resources for which a user has been added to a role?
- GCP: List grantable roles per resource