Reputation: 51
GCP: List members of all groups in an organization using gcloud CLI, output to BigQuery
I would like to use the gcloud CLI to create a table of all users in Google IAM groups in our organziation, and output to a BQ table.
I know it involves "gcloud identity groups memberships list" but not clear on how to iterate through the groups and generating the output as CSV.
I have already found a method to iterate through the projects and get the iam bindings for each - https://rajathithanrajasekar.medium.com/google-cloud-iam-users-extraction-across-all-projects-in-a-gcp-org-2fbe66ddc045 Therefore I only need group membership info, not policy/binding info.
Update to clarify: Our users are assigned to IAM groups at the Org level (https://console.cloud.google.com/iam-admin/groups). I am looking to generate a list in BigQuery of these memberships, so that we don't have to hunt through them looking for where a user might be found.
The team managing permissions does not have Google Workspace admin to see group membership by user, so we are looking for a way to provide this information.
Upvotes: 5
Views: 8066
Answers (2)
Reputation: 963
Looks like we can now search groups using a beta command:
gcloud beta identity groups search --organization="<org_id>" \
--labels="cloudidentity.googleapis.com/groups.discussion_forum"
And there is a whole slew of commands for group membership.
Upvotes: 3
Reputation: 75695
You can only inspect the group assigned in Google Cloud. You can't get the data from groups not in Google Cloud.
You can use Asset Iam analyzer to get some data, but you can't do that at organization or folder level, you need to iterate per project. And to perfom dedicate request for folder and organization level
#For Organization
gcloud asset analyze-iam-policy --expand-groups \
--output-group-edges --organization=<ORGANIZATION_NUMBER> \
--show-response \
--full-resource-name="//cloudresourcemanager.googleapis.com/organizations/<ORGANIZATION_NUMBER>"
#For Folder
gcloud asset analyze-iam-policy --expand-groups \
--output-group-edges --organization=<ORGANIZATION_NUMBER> \
--show-response \
--full-resource-name="//cloudresourcemanager.googleapis.com/folders/<FOLDER_NUMBER>"
#For Project
gcloud asset analyze-iam-policy --expand-groups \
--output-group-edges --organization=<ORGANIZATION_NUMBER> \
--show-response \
--full-resource-name="//cloudresourcemanager.googleapis.com/projects/<PROJECT_ID>" \
--expand-resources
More detail here
Upvotes: 1
Related Questions
- How to get ALL the GCP folders from an Organization with `gcloud`?
- making a request to find members of a group in GCP
- How to find a list of all groups that I am a member of in GCP
- List ALL users of GCP account/Organization
- Find all users on GCP with their roles and permissions (also the ones with only access at the dataset level)
- How can I list all service accounts (also those created by GCP) with the "gcloud" CLI?
- Fetch Google Group members
- How to list group ids in GCP using cli or console
- GCP - gcloud List all accounts and the dataset it has access to
- What is the equivalent gcloud API to retrieve user-group mapping list?