Menu
Is it possible to get a list of all permissions that have been granted (specifically or transitively) to a user or GCP service account, ideally filtered by resource, through gcloud or the web UI?
795
If I understood your question correctly, you can see them in the "IAM & admin" console. In the "IAM" tab:
In case you want to know more about those roles, in the "Roles" tab (inside "IAM & admin"), you can click on them and see exactly what permissions each one has.
Currently there is no gcloud command for listing all granted permissions as shown here, so I filed a public Feature Request on your behalf. Lastly, this is documentation for the gcloud iam commands.
If you feel like learning more about IAM, these is the overview and documentation for the product.
196
You can use Asset Search to find all the roles (not permissions) a user is granted with directly (not transitively) upon various resources within a given scope (i.e., an organization, folder, or project).
This allows you to search across projects and resources. However, you must have the cloudasset.assets.searchAllIamPolicies permission upon the scope.
Here is a sample command:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:[email protected]" | egrep "role:|resource:"
Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies
Supported resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
More details: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
29
You can use Policy Analyzer feature of the Cloud Asset Inventory.
Under the web UI there is a query template called "What access does my employee (or terminated employee) have?" that seems to fit your needs exactly.
See the official "Analyzing IAM policies" docs for more info.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
