How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

问题

In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).

Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?

This is needed to answer questions like:

What roles does a service account have?
Which resources are shared publicly?
Do policies contain deleted users?
Does a user still appear in any policies after they leave my company?
Does a user has a given role?

回答1:

You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.

To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):

gcloud beta asset search-all-iam-policies --scope=projects/123

To find out who has the role Owner in an organization with number 456:

gcloud beta asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"

To find out which roles a service account has:

--query="policy:123-compute@developer.gserviceaccount.com"

To find out which resources are shared publicly:

--query="policy:(allUsers OR allAuthenticatedUsers)"

To find out whether policies contain deleted accounts:

--query="policy:deleted"

To find out whether amy@bar.com appears in any policy:

--query="policy:amy@bar.com"

To find out whether amy@bar.com has the role Owner:

--query="policy:(roles/owner amy@bar.com)"

To only look at IAM policies for a given resource type (e.g., projects):

--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"

To find out whether any gmail account has the role Owner:

`--query="policy:(roles/owner *gmail*)"

You can change the scope to a folder or a project.

To use the command, you must:

Enable Cloud Asset API, and
Have cloudasset.assets.searchAllIamPolicies permission upon the scope, which is included in these roles:
- roles/cloudasset.viewer
- roles/cloudasset.owner
- roles/viewer
- roles/editor
- roles/owner

Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies

Supported resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

来源：https://stackoverflow.com/questions/60480678/how-to-list-find-or-search-iam-policies-across-services-apis-resource-types

标签

google-cloud-platform

gcloud

google-iam

google-cloud-iam

google-cloud-resource-manager