Low Priority GCP Feature Request: Generate a custom snapshot with users/service accounts with all assigned roles
Opened this issue · 0 comments
rezoan commented
Currently GCP don't have any API endpoint which return list of users/service accounts with all assigned roles to it, instead it has API endpoint to list all roles with assigned users to it.
Writing policy is hard/requires more processing where we need to check overprivileged role assignment for specific user/service accounts, as it requires multiple role assignment check for single user.
Suggestion/Steps to create the custom snapshot which will contain list of users/service accounts with all assigned roles to it :
API endpoint at https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy returns the list of roles with assigned users to it.
{
"version": 1,
"etag": "BwYBcR2EiGI=",
"bindings": [
{
"role": "roles/iam.serviceAccountAdmin",
"members": [
"serviceAccount:service-784490704435@gcp-sa-firestore.iam.gserviceaccount.com",
"user:rezoan@gmail.com"
]
},
{
"role": "roles/iam.serviceAccountTokenCreator",
"members": [
"serviceAccount:firebase-adminsdk-wxugx@resonant-grail-134310.iam.gserviceaccount.com",
"user:rezoan@gmail.com"
]
},
{
"role": "roles/owner",
"members": [
"user:r4redu@gmail.com"
]
}
]
}
I am requesting to generate another custom snapshot out of previous one as follow. we will need both snapshots for different purpose:
{
"version": 1,
"etag": "BwYBcR2EiGI=",
"bindings": [
{
"member": "serviceAccount:service-784490704435@gcp-sa-firestore.iam.gserviceaccount.com",
"roles": [
"roles/iam.serviceAccountAdmin"
]
},
{
"member": "user:rezoan@gmail.com",
"roles": [
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator"
]
},
{
"member": "serviceAccount:firebase-adminsdk-wxugx@resonant-grail-134310.iam.gserviceaccount.com",
"roles": [
"roles/iam.serviceAccountTokenCreator"
]
},
{
"member": "user:r4redu@gmail.com",
"roles": [
"roles/owner"
]
}
]
}