2

GCP IAM: In IAM, permission to access a resource isn't granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource Ref: https://cloud.google.com/iam/docs/overview

So basically, Access control for Google Cloud resources is managed by IAM policies. An IAM policy is attached to a resource.

With Cloud resource manager API we can retrieve Policy and check the permissions assigned to user, but it's resource-centric. Policy for Organization, folder, projects, etc can be retrieved. Example: https://cloud.google.com/resource-manager/reference/rest/v1/organizations/getIamPolicy

Cloud asset inventory: Has an API to search all iam polcies. With the Query Parameter it has a filter for user but it supports sub set of resources on which iam polciy can be assigned API: https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllIamPolicies Reference:

Question: Is there any way to fetch all the permissions granted to identity across all GCP resources instead of checking IAM Policy of each and every resource?

Basically looking for a consolidated view of all the permissions granted to an Identity in GCP. The problem is for understanding permissions assigned to a user on a single resource, with API, We have to fetch all the resource policies and check their bindings

Prafull Pol
  • 141
  • 1
  • 2
  • 9
  • Development are in progress for the asset inventory, especially to include Cloud Functions and Cloud Run. I don't know the timeline and the state for the other missing resources type. But it's the tool for the future – guillaume blaquiere Oct 19 '20 at 11:50

1 Answers1

2

As of now there is not a gcloud or API call that can be used to check the permissions granted to a particular resource (such as user, service account, etc.) easily as per explained on your question. As you are already aware you could use the relevant gcloud command to search for the specific roles assigned at each distinct resource, e.g.:

gcloud asset search-all-iam-policies --scope='projects/[YOUR-PROJECT-ID]' --query='policy:[YOUR-USERNAME]@[YOUR-DOMAIN]'

Resulting in e.g.:

---
policy:
  bindings:
  - members:
    - projectOwner:[PROJECT-ID]
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: roles/bigquery.dataOwner
project: projects/[PROJECT-NUMBER]
resource: //bigquery.googleapis.com/projects/[PROJECT-ID]/datasets/[DATASET-NAME]
---
policy:
  bindings:
  - members:
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: projects/[PROJECT-ID]/roles/[CUSTOM-ROLE-NAME]
  - members:
    - user:[ANOTHER-USERNAME]@[YOUR-DOMAIN]
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: roles/owner
project: projects/[PROJECT-NUMBER]

And from these response parse the fields corresponding to the role: assigned at each resource to see which permissions are assigned to that specific role using the relevant gcloud command:

gcloud iam roles describe [CHANGE-FOR-ROLE-(e.g. roles/owner)] --project=[PR0JECT-ID]

and check the output corresponding to the includedPermissions: fields.

I will therefore recommend you to star and follow this Feature Request on GCP's Public Issue Tracker to check the feasibility (or not) of this issue to be implemented in the future.

Daniel Ocando
  • 3,554
  • 2
  • 11
  • 19
  • Thanks @DanielOcando. So as of now there is no API for permissions, Could you please help in understanding **if there is any API that can be used to check all the roles assigned to a user** – Prafull Pol Oct 20 '20 at 08:12
  • If you'd like to check the roles assigned to an user you could use `gcloud asset search-all-iam-policies` as explained on the answer and filter to get only the `role:` fields by piping the result and using awk or grep, or you could use the `gcloud projects get-iam-policy ` command and change the --filter flag with the specific user in question: `--filter="bindings.members:[CHANGE- FOR-YOUR-USER e.g you@your-domain.com]"` as explained on this [post](https://stackoverflow.com/questions/47006062/how-do-i-list-the-roles-associated-with-a-gcp-service-account) shared within the community. – Daniel Ocando Oct 20 '20 at 12:57
  • The limitation with gcloud asset search-all-iam-policies - “Note: You can only search IAM policies that are set on the searchable resource types.” How do we fetch and apply filer for identities on the resources which not 'searchable resource types'. Ref: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types – Prafull Pol Oct 21 '20 at 07:23
  • I see what you mean, as the IAM policy should be tied to a searchable resource (i.e. project, organization, etc.). As of now, I believe this is not a possibility. So please monitor the [Feature Request](https://issuetracker.google.com/110362479) shared in order to see if it can possibly be implemented. – Daniel Ocando Oct 21 '20 at 10:16
  • Thanks, @DanielOcando. Your Explanation has helped us to get a clear understanding – Prafull Pol Oct 22 '20 at 06:01