2

There are several ways my user can get privileges in a Google Cloud Platform project. Direct role and privilege assignment, act as service accounts, different group membership.

So given a GCP project, how can I list the active privileges for my user?

gogstad
  • 3,607
  • 1
  • 29
  • 32

2 Answers2

4

Usually, in GCP, they are called "Permissions". For ease of use, those permissions are grouped in "Roles".

Each user can have different roles in your project. To get a full list of the accounts having each role in a project, you can use the Resource Manager API to get the IAM policies.

Long story short, make sure that gcurl is properly configured and just run the following command, filtering the output according to your needs:

curl -XPOST https://cloudresourcemanager.googleapis.com/v1/projects/$(gcloud config get-value project):getIamPolicy -d'{}' -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json'
Jofre
  • 3,718
  • 1
  • 23
  • 31
  • 1
    True, but it doesn't solve the original use case. Say I want to know if my user has `bigquery.table.update`. I may get that transitively through an act as some service account, and I may not know all the groups I'm member of. I can't find a way to just list the permissions my user has. – gogstad Mar 21 '18 at 13:34
  • If you know the permission you want to check, you can call the testIamPermission of the same API. You'll have to enable the proper oauth flow (three legged oauth) to properly call this endpoint as the end user. – Jofre Mar 21 '18 at 14:54
  • easier still: `gcloud projects get-iam-policy MY_PROJECT ` https://stackoverflow.com/a/44749561/1778702 – todd_dsm Jun 14 '20 at 01:52
1
gcloud projects get-iam-policy $PROJ \
  --flatten="bindings[].members" \
  --format='table(bindings.role)' \
  --filter="bindings.members:user:$USER"

USER is like email (me@org.com), PROJ is like project-654321.

UPDATE To search across all resources:

gcloud asset search-all-iam-policies --query=policy:$EMAIL
ushuz
  • 493
  • 5
  • 12
gavenkoa
  • 45,285
  • 19
  • 251
  • 303
  • Your example will show IAM Role bindings at the **project** resource, but not at other resources. – John Hanley Jun 29 '22 at 18:59
  • I'm not aware of other resources. If something is billable I assume it is attached to a project, what kind of resources are there besides those that under the project? – gavenkoa Jun 30 '22 at 04:17
  • You are confusing resources that belong to projects and resources that support IAM bindings. Your command only shows IAM bindings for a project, not for individual resources. Cloud Run, KMS, Cloud Storage, etc also support IAM bindings. In other words, I can bind an IAM role to KMS yet the user has no IAM roles bound to the project. – John Hanley Jun 30 '22 at 04:30
  • Right! Like `gcloud organizations get-iam-policy $ORG` or `gcloud compute instances get-iam-policy $INST`. – gavenkoa Jun 30 '22 at 04:59
  • 1
    Correct. Those commands show the IAM bindings for those resource types. – John Hanley Jun 30 '22 at 05:01