4

I would like to use the gcloud CLI to create a table of all users in Google IAM groups in our organziation, and output to a BQ table.

I know it involves "gcloud identity groups memberships list" but not clear on how to iterate through the groups and generating the output as CSV.

I have already found a method to iterate through the projects and get the iam bindings for each - https://rajathithanrajasekar.medium.com/google-cloud-iam-users-extraction-across-all-projects-in-a-gcp-org-2fbe66ddc045 Therefore I only need group membership info, not policy/binding info.

Update to clarify: Our users are assigned to IAM groups at the Org level (https://console.cloud.google.com/iam-admin/groups). I am looking to generate a list in BigQuery of these memberships, so that we don't have to hunt through them looking for where a user might be found.

The team managing permissions does not have Google Workspace admin to see group membership by user, so we are looking for a way to provide this information.

mgoya
  • 512
  • 3
  • 12
sophomorecles
  • 41
  • 1
  • 4
  • 1
    Rephrasing. I would like to use the CLI to generate a list of all the members of all the groups in our organization. – sophomorecles Aug 13 '21 at 18:10
  • There's `gcloud identity groups memberships list` command, but you need a project ID (not an organization number), but as far as I can tell none of the projects have access since it's an org-level resource. – weberc2 Feb 07 '23 at 15:30

2 Answers2

2

Looks like we can now search groups using a beta command:

gcloud beta identity groups search --organization="<org_id>"  \
  --labels="cloudidentity.googleapis.com/groups.discussion_forum"

And there is a whole slew of commands for group membership.

Cedric Meury
  • 953
  • 1
  • 7
  • 19
1

You can only inspect the group assigned in Google Cloud. You can't get the data from groups not in Google Cloud.

You can use Asset Iam analyzer to get some data, but you can't do that at organization or folder level, you need to iterate per project. And to perfom dedicate request for folder and organization level

#For Organization
gcloud asset analyze-iam-policy --expand-groups \
  --output-group-edges --organization=<ORGANIZATION_NUMBER> \
  --show-response \
  --full-resource-name="//cloudresourcemanager.googleapis.com/organizations/<ORGANIZATION_NUMBER>"

#For Folder
gcloud asset analyze-iam-policy --expand-groups \
  --output-group-edges --organization=<ORGANIZATION_NUMBER> \
  --show-response \
  --full-resource-name="//cloudresourcemanager.googleapis.com/folders/<FOLDER_NUMBER>"

#For Project
gcloud asset analyze-iam-policy --expand-groups \
  --output-group-edges --organization=<ORGANIZATION_NUMBER> \
  --show-response \
  --full-resource-name="//cloudresourcemanager.googleapis.com/projects/<PROJECT_ID>" \
  --expand-resources                

More detail here

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • To clarify, I have the bindings/policy information. I am specifically looking for a list of members of every IAM group at the org level. – sophomorecles Aug 13 '21 at 18:14
  • For that, you can use my first link. You have the IAM policy binding, but with the expand group option you also view the content of each group. Forget the binding part, get only the group content description! – guillaume blaquiere Aug 14 '21 at 08:10
  • Will test this later this week with someone who has the access. This looks promising. – sophomorecles Aug 16 '21 at 20:12