1

As stated in the question. I know that within the GCP cloud identity API and CLI tool I can pull the list of members of a group with the following command.

gcloud identity groups memberships list --project=mygcpproject 
--group-email="principal@mycompany.com" --format=csv(preferredMemberKey)

For some groups I get a return result. For others it says that group does not exist. What it really means is that I do not have rights to see inside that group. Because I know for a fact the group exists, I can see it when I run the command to show all principals within a project using:

gcloud projects get-iam-policy mygcpproject

The question is what specific IAM or groups policy do I request to have rights to see inside all the groups within my organization. All GCP examples assume that you have admin rights to everything with no real documentation anywhere that specifies least privilege required to use a specific command.

My own IAM team says we don't know what you need that's a google group thing, figure it out and ask for it and then we can research and grant. As group membership is somewhat separate from IAM principals, but a group can act as a principal I'm somewhat stuck.

RThomas
  • 10,702
  • 2
  • 48
  • 61
  • I saw this remains unanswered and thought I'd try to help. In truth, I'm unfamiliar with Cloud Identity but, if I understand correctly, the Groups part of Cloud Identity is actually controlled by Google Workspace and not by (Cloud) IAM. I suspect you will need to work with your Google Workspace admins and have them ensure that you're an owner|member of all your organizational groups. – DazWilkin Jan 09 '22 at 18:47
  • Per https://cloud.google.com/architecture/identity it may or may not be workspace. There are a ton of moving parts. Frustrating. – RThomas Jan 10 '22 at 17:31
  • @RThomas did you ever discover anything here? – nicstella Aug 23 '22 at 05:38
  • Sorry, not really. I was essentially told by Google that I'd have to be the Groups Admin in order to see membership of individual groups. Either that or a member of every single group in the organization. There are other ways to audit individuals to find out what IAM access they have, but doesn't necessarily identify what group they have that access through. Though you might be able to figure it out, nothing straightforward is currently available. – RThomas Oct 25 '22 at 20:27

0 Answers0