added gcp_iam_roles_granted_to_identity.sh
parent
52ddb0f7e9
commit
df74e44c73
@ -0,0 +1,83 @@
|
||||
#!/usr/bin/env bash
|
||||
# vim:ts=4:sts=4:sw=4:et
|
||||
# args: hari
|
||||
#
|
||||
# Author: Hari Sekhon
|
||||
# Date: 2021-02-19 11:23:50 +0000 (Fri, 19 Feb 2021)
|
||||
#
|
||||
# https://github.com/HariSekhon/bash-tools
|
||||
#
|
||||
# License: see accompanying Hari Sekhon LICENSE file
|
||||
#
|
||||
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
||||
#
|
||||
# https://www.linkedin.com/in/HariSekhon
|
||||
#
|
||||
|
||||
set -euo pipefail
|
||||
[ -n "${DEBUG:-}" ] && set -x
|
||||
srcdir="$(dirname "${BASH_SOURCE[0]}")"
|
||||
|
||||
# shellcheck disable=SC1090
|
||||
. "$srcdir/lib/utils.sh"
|
||||
|
||||
# shellcheck disable=SC2034,SC2154
|
||||
usage_description="
|
||||
Finds all roles in the given or current project which are assigned to any identity (user/group/serviceAccount) matching the given regex
|
||||
|
||||
For best matching the identity should be in the standard GCP format eg.
|
||||
|
||||
user:hari@mydomain.com
|
||||
|
||||
group:platform-engineering@mydomain.com
|
||||
|
||||
serviceAccount:myproject-gke-sa@myproject.iam.gserviceaccount.com
|
||||
serviceAccount:myproject@appspot.gserviceaccount.com
|
||||
|
||||
but is interpreted as a regex so you could just use a substring match like 'hari' and that would find roles containing any users/groups/serviceAccounts with that string in them
|
||||
|
||||
${0##*/} hari
|
||||
|
||||
You could also use this to find any roles granted on a user-basis against group-oriented policy eg.
|
||||
|
||||
${0##*/} user:
|
||||
|
||||
|
||||
Requires GCloud SDK to be installed and configured
|
||||
"
|
||||
|
||||
# used by usage() in lib/utils.sh
|
||||
# shellcheck disable=SC2034
|
||||
usage_args="<identity_regex> [<project_id>]"
|
||||
|
||||
help_usage "$@"
|
||||
|
||||
min_args 1 "$@"
|
||||
|
||||
regex="$1"
|
||||
project="${2:-}"
|
||||
|
||||
if is_blank "$regex"; then
|
||||
usage "identity regex cannot be blank"
|
||||
fi
|
||||
|
||||
if is_blank "$project"; then
|
||||
project="$(gcloud config list --format='get(core.project)')"
|
||||
fi
|
||||
|
||||
not_blank "$project" || die "ERROR: no project specified and GCloud SDK core.project property not set in config"
|
||||
|
||||
get_roles(){
|
||||
local project="$1"
|
||||
gcloud projects get-iam-policy "$project" --format=json |
|
||||
jq -r ".bindings[] | select(.members[] | test(\"$regex\")) | .role"
|
||||
}
|
||||
|
||||
if [ "$project" = "all" ] ;then
|
||||
for project in $(gcloud projects list --format='get(project_id)'); do
|
||||
get_roles "$project"
|
||||
done
|
||||
else
|
||||
get_roles "$project"
|
||||
fi |
|
||||
sort -u
|
Loading…
Reference in New Issue