Find and Revoke User in GCP Project

0
votes

We have no of GCP projects (Ex: 50 projects) under an organization. We want to revoke one of the user access, but not sure what are all the projects he has the access. So we need to identify that user access list and then revoke the same. As a 1st step I tried the following command to fetch user and roles details. But it gives all the users info. I couldn't find the parameter for the specific user.

gcloud projects get-iam-policy "project-id"

Can anyone help me in this scenario.

1
google-cloud-platformgoogle-cloud-iam
A project is a resource. Cloud Storage, KMS, App Engine, etc are resources as well. IAM policies are bound to resources. IAM policies can be inherited. Removing a user from all projects does not mean that all access for that identity is removed.John Hanley
I believe, removing an user from IAM will restrict that user to access the resources under that project.Mani
That is an incorrect assumption.John Hanley
If an IAM policy has been bound to a resource that grants the user (identity) permission, yes, you must also remove that policy. Your situation is a good example of why organizations should only use Google Workplace or Google Identity Platform for users, groups, etc. That way you can simply delete/disable the identity. If you are using Gmail user identities, you do not have that option. Note: if a user/identity is also part of a group that has permissions, you need to remove the user from the group.John Hanley
You can use Asset Inventory to search IAM to find the policy bindings. Be careful, all resource aren't scanned. cloud.google.com/asset-inventory/docs/searching-iam-policiesguillaume blaquiere

1 Answers

1
votes

As @John Hanley mentioned in comments, using Cloud Identity Platform can be the best workaround in this situation. Besides there are some other ways in revoking access of the user.

This following steps will be an efficient and secure way to revoke a user’s access:

1.In the Google Cloud Platform console, go to the IAM permissions page.

2.Select the project you want to remove an account from.

3.Click the checkbox next to the row containing the account you want removed from the member list, then click Remove. Alternatively, click the trash can icon next to the account you want to remove.

This documentation has detailed instructions of revoking a user account from GCP and to get the roles assigned to the user refer to this documentation.