1

I have a GSA: my-gsa@myproject.iam.gserviceaccount.com

GCP has supported groups for a while now so I added that GSA to a bunch of groups.

How can I easily see what groups that GSA belongs to?

If this was a google user account I could go to the G Suite console and view the user's group membership. This is a GSA though and it does not appear in the G Suite console like that.

Ideally I could see this in some web console page or with gcloud. This gcloud command will show me the members of a group: https://cloud.google.com/sdk/gcloud/reference/beta/identity/groups/memberships/list. How do I do the inverse of that, again for a GSA not a google user account?

EDIT

Not a solution but a script to search all groups. Still think there has to be an API call to get this as a single step. The groups.memberships.searchTransitiveGroups() method I think is only for seeing nested group memberships.

GSA_TO_SEARCH=my-gsa@myproject.iam.gserviceaccount.com
PROJECT_ID=projectname # This can be any project in the org
ORG_ID="$(gcloud projects get-ancestors $PROJECT_ID | grep organization | cut -f1 -d' ')"
# I don't think this label includes GCP security groups just G Suite email groups
GROUPS="$(gcloud beta identity groups search --organization=$ORG_ID --labels='cloudidentity.googleapis.com/groups.discussion_forum' --format='json')"
GROUP_EMAILS="$(echo $GROUPS | jq '.groups[] | .groupKey.id')"
echo $GROUP_EMAILS | \
    xargs -I {} sh -c "echo {} && \
    gcloud beta identity groups memberships list --group-email="{}" --format=json | \
    jq '.[] | select(.memberKey.id==\"$GSA_TO_SEARCH\").memberKey.id'"
red888
  • 27,709
  • 55
  • 204
  • 392
  • 1
    Is your question limited to a project or every resource in Google Cloud? For the first case, list the project's IAM binding and then process each group listed. For the second case, you would have to check each resource. For an organization, you might be able to use **gcloud beta asset search-all-iam-policies** and specify **--query='policy=GROUP_EMAIL_ADDRESS'** and then process the results. https://cloud.google.com/sdk/gcloud/reference/beta/asset/search-all-iam-policies – John Hanley Dec 08 '21 at 20:14
  • This doesn't even concern GCP resources or bindings. Groups are org level. I want to find all groups a GSA is a member of- obviously without manually listing the membership of ALL groups and checking each one for the user. It is possible to view group membership for a user through the G Suite console but thats only for Google users not GSAs that are created in GCP. – red888 Dec 08 '21 at 20:23
  • I am not aware of a method to list groups that a service account is a member of. As easy as that sounds, it is not. That is why I posted a comment instead of an answer. – John Hanley Dec 08 '21 at 20:41
  • Check this [guide](https://cloud.google.com/identity/docs/how-to/query-memberships). To find all of the groups that a member belongs to, call [groups.memberships.searchTransitiveGroups()](https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/searchTransitiveGroups) with the member key (for example, the email address of the member). – rriovall Dec 08 '21 at 20:54
  • Does gcloud not support this yet? – red888 Dec 08 '21 at 20:55
  • I couldn't find a gcloud command for that, however as adding service accounts to groups is [not a best practice](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts#groups) it may not get supported at all. – rriovall Dec 08 '21 at 21:45

0 Answers0