8

Is it possible to get a list of all permissions that have been granted (specifically or transitively) to a user or GCP service account, ideally filtered by resource, through gcloud or the web UI?

Maxim
  • 4,075
  • 1
  • 14
  • 23
Andreas Jansson
  • 3,137
  • 2
  • 30
  • 40

3 Answers3

8

If I understood your question correctly, you can see them in the "IAM & admin" console. In the "IAM" tab:

  • With "View by: MEMBERS" option, you would be able to see a list of all members (users and services accounts) and the roles granted to them.
  • In "View by: ROLES" there is a list of all roles and (if expanded) all users/service accounts that have that role.

In case you want to know more about those roles, in the "Roles" tab (inside "IAM & admin"), you can click on them and see exactly what permissions each one has.

Currently there is no gcloud command for listing all granted permissions as shown here, so I filed a public Feature Request on your behalf. Lastly, this is documentation for the gcloud iam commands.

If you feel like learning more about IAM, these is the overview and documentation for the product.

Iñigo
  • 2,500
  • 2
  • 10
  • 20
  • 1
    Thank you, what I'm looking for is a list of permissions that one specific user/service account has been granted. From what I can see, the IAM & admin page doesn't list transitive grants. E.g. if I'm a member of group1, I can see the grants to group1, but I can't search by my own username and see those grants. Also, I'm not able to see grants in other projects if I don't have resourcemanager.projects.getIamPolicy on that project. Basically I'd like something like https://cloud.google.com/iam/docs/testing-permissions that tests all possible permissions, if possible through gcloud. – Andreas Jansson Oct 23 '18 at 20:32
  • 2
    Currently that's not possible, so I filed a [Feature Request](https://issuetracker.google.com/issues/118365351) on your behalf. You can follow updates there. I edited my answer for it to be clearer. – Iñigo Oct 24 '18 at 10:41
  • thank you! marking this as the answer for now, will update if/when this feature becomes available. – Andreas Jansson Oct 24 '18 at 19:17
  • No prob at all! If you feel there's something I forgot or something you wanna add, feel free to add a comment in the FR. – Iñigo Oct 24 '18 at 19:57
  • Has anyone figured it out yet? @Iñigo, I am also trying to find out how to list permissions for a user/group/service account and to what all projects? – peacefulmember Jul 29 '21 at 17:48
  • Thanks @Iñigo! The proper fix has been linked in your Feature Request and thanks to it I wrote my answer below - https://stackoverflow.com/a/70034341/2693875 . – Greg Dubicki Nov 19 '21 at 11:46
3

You can use Policy Analyzer feature of the Cloud Asset Inventory.

Under the web UI there is a query template called "What access does my employee (or terminated employee) have?" that seems to fit your needs exactly.

See the official "Analyzing IAM policies" docs for more info.

Greg Dubicki
  • 5,983
  • 3
  • 55
  • 68
2

You can use Asset Search to find all the roles (not permissions) a user is granted with directly (not transitively) upon various resources within a given scope (i.e., an organization, folder, or project).

This allows you to search across projects and resources. However, you must have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

Here is a sample command:

gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:foo@bar.com" | egrep "role:|resource:"

Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies

Supported resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types

More details: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

Circy
  • 1,058
  • 11
  • 15