Google Cloud Platform: How to fetch permissions assigned for particular Identity across all GCP resources via REST call

Question

GCP IAM: In IAM, permission to access a resource isn't granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource Ref: https://cloud.google.com/iam/docs/overview

So basically, Access control for Google Cloud resources is managed by IAM policies. An IAM policy is attached to a resource.

With Cloud resource manager API we can retrieve Policy and check the permissions assigned to user, but it's resource-centric. Policy for Organization, folder, projects, etc can be retrieved. Example: https://cloud.google.com/resource-manager/reference/rest/v1/organizations/getIamPolicy

Cloud asset inventory : Has an API to search all iam polcies. With the Query Parameter it has a filter for user but it supports sub set of resources on which iam polciy can be assigned API: https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllIamPolicies Reference:

• https://cloud.google.com/asset-inventory/docs/supported-asset-types
• https://cloud.google.com/iam/docs/resource-types-with-policies

Question: Is there any way to fetch all the permissions granted to identity across all GCP resources instead of checking IAM Policy of each and every resource?

Basically looking for a consolidated view of all the permissions granted to an Identity in GCP. The problem is for understanding permissions assigned to a user on a single resource, with API, We have to fetch all the resource policies and check their bindings

Answer 1

As of now there is not a gcloud or API call that can be used to check the permissions granted to a particular resource (such as user, service account, etc.) easily as per explained on your question. As you are already aware you could use the relevant gcloud command to search for the specific roles assigned at each distinct resource, eg:

gcloud asset search-all-iam-policies --scope='projects/[YOUR-PROJECT-ID]' --query='policy:[YOUR-USERNAME]@[YOUR-DOMAIN]'

Resulting in eg:

---
policy:
  bindings:
  - members:
    - projectOwner:[PROJECT-ID]
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: roles/bigquery.dataOwner
project: projects/[PROJECT-NUMBER]
resource: //bigquery.googleapis.com/projects/[PROJECT-ID]/datasets/[DATASET-NAME]
---
policy:
  bindings:
  - members:
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: projects/[PROJECT-ID]/roles/[CUSTOM-ROLE-NAME]
  - members:
    - user:[ANOTHER-USERNAME]@[YOUR-DOMAIN]
    - user:[YOUR-USERNAME]@[YOUR-DOMAIN]
    role: roles/owner
project: projects/[PROJECT-NUMBER]

And from these response parse the fields corresponding to the role: assigned at each resource to see which permissions are assigned to that specific role using the relevant gcloud command :

gcloud iam roles describe [CHANGE-FOR-ROLE-(e.g. roles/owner)] --project=[PR0JECT-ID]

and check the output corresponding to the includedPermissions: fields.

I will therefore recommend you to star and follow this Feature Request on GCP's Public Issue Tracker to check the feasibility (or not) of this issue to be implemented in the future.