Find all users on GCP with their roles and permissions (also the ones with only access at the dataset level)

Question

I know I can list all users and their roles at the project level using:
gcloud projects get-iam-policy <project-id>
or gcloud projects get-ancestors-iam-policy <project-id>

See also:
How do I list all IAM users for my Google Cloud Project

But some permissions / roles can be set at the dataset or table level.
These users do not appear when i use: gcloud projects get-iam-policy <project-id>

How can I see ALL users and their roles/permissions, also the ones that only have access to a specific dataset and nothing else.

Also helpful: https://stackoverflow.com/questions/44746358/how-do-i-list-all-iam-users-for-my-google-cloud-project — Sander van den Oord, Oct 12 '22 at 08:11

score 1 · Answer 1 · answered Oct 12 '22 at 08:10

This is a helpful answer:
How to list all permissions granted to a specific principal on GCP?

After enabling the Cloud Asset API, you can do:
gcloud asset search-all-iam-policies --scope=projects/<project> --query="policy:<email>"

This shows for every asset / resource the policy and bindings, example:

assetType: bigquery.googleapis.com/Table
policy:
  bindings:
  - members:
    - user:your_user_email
    role: roles/bigquery.dataViewer
project: projects/7109387143
resource: //bigquery.googleapis.com/projects/your_project/datasets/dataset_name/tables/table_name

Documentation can be found here:
https://cloud.google.com/sdk/gcloud/reference/asset/search-all-iam-policies

Find all users on GCP with their roles and permissions (also the ones with only access at the dataset level)

1 Answers1