Is there a way to list all permissions from a user in GCP?
I know there is this command:
gcloud projects get-iam-policy "project-ID"
but I can only see the IAM roles I have set up in the IAM console. For example I do not see the IAM role
BigQuery Data Viewer
that I have set up to a user on a dataset in the BigQuery page.
in GCP is there a way to list all permissions of an user?
In Google Cloud Platform there is no single command that can do this. Permissions via roles are assigned to resources. Organizations, Folders, Projects, Databases, Storage Objects, KMS keys, etc can have IAM permissions assigned to them. You must scan (check IAM permissions for) every resource to determine the total set of permissions that an IAM member account has.
These features are both a strength and a weakness in Google Cloud authorization, security, and auditing. These features are very powerful when understood well.
You can list the roles associated to a user or service account by tweaking the output of gcloud projects get-iam-policy with the flags '--flatten', '--format', and '--filter':
gcloud projects get-iam-policy <YOUR GCP PROJECT> \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:<THE USER OR SERVICE ACCOUNT>"
The output is the following in my test scenario:
ROLE
roles/bigquery.dataViewer
roles/owner
When we think about the permissions of a user, it would be wrong to think of there being some kind of master table that says "User X has all THESE permissions". Rather, we need to re-orient our thinking to think along a different dimension. Think of a thing that you want to protect (a resource) and then we can say "This resource (Z) allows user X to perform Y".
In GCP, we also don't assign permissions but roles which are collections of permissions.
Going back to your ask, this means that we can't list all the permissions for a user because a user doesn't "have" permissions, instead a user posses roles relative to a resource.
Imagine a file on your filesytem called "A" which user X can read but not write. Now imagine a file on your filesystem called "B" which user X can write but not read. We can't correctly say that user X has both "read" and "write" permissions. While there are some files the user can read and some that the user can write it isn't true to say that the user can read and write all files.
And to reach a conclusion ... for any given set of resources you can ask that resource what users have what roles on that resource.
We have an API that can be used to determine if a user can perform a named operation against a given resource ... see: Testing permissions.
You can use this to search for "[email protected]" within IAM policies under an organization:
gcloud beta asset search-all-iam-policies --scope=organizations/123 --query="policy:[email protected]" | egrep "resource:|role:|user:foo"
You can change scope to a project or a folder.
Documentation: https://cloud.google.com/asset-inventory/docs/searching-iam-policies
It doesn't cover all the policies though: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
More details can be found in another post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
I have created this small script. It gives details like member id, roles it is assigned with and project Name
for list in `gcloud projects list | awk 'NR>1 {print $1}'`; do gcloud projects get-iam-policy $list --flatten="bindings[].members" --format="table(bindings.members,bindings.role,$list)"; done;
