gcpdiag icon indicating copy to clipboard operation
gcpdiag copied to clipboard
verified publisher icon GoogleCloudPlatform

iam.py: add support for groups

Open schweikert opened this issue 3 years ago • 5 comments

Currently iam.py can't resolve IAM groups so for example if a service account is given certain permissions via a group, that won't be detected properly.

schweikert avatar Jun 15 '22 14:06 schweikert

Hi David, Is the steps to solve this will be like

  1. list the groups in the project
  2. determine the permission associated with the group email id
  3. determine the members of the group
  4. if they have admin/editor role/permissions Are my steps are correct or can you suggest any thing else

kaushik853 avatar Jun 30 '23 14:06 kaushik853

@kaushik853 I believe you the best way will be getting the groups from Cloud Identity not the project. Project groups are for cloud monitoring.

An alternative is using Asset inventory Search feature but haven't explored this much.

ebenezergraham avatar Nov 13 '23 22:11 ebenezergraham

@ebenezergraham i was checking in project iam and i could see the group vs role mapping. to see memship i do need to go to cloud identity, that was my thought, let me know if something else. I will also try to explore asset inv.

kaushik853 avatar Nov 13 '23 23:11 kaushik853

Sounds good, Feel free to implement,test and submit your code for review.

ebenezergraham avatar Dec 04 '23 19:12 ebenezergraham