Skip to content

jdyke/gcp-iam-analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
gcp-iam-analyzer.py
gcp-iam-analyzer.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

GCP IAM Analyzer

This tool is an all-in-one GCP IAM analyzer with helpful functions for working with roles and permissions.

Table of Contents

Features

There are two main types of features this tool offers: role analysis and permissions analysis.

Role Analysis

Currently supports up to 2 IAM roles to:

  • Calculate the differences in permissions between the two. (-d flag)
  • Which permissions the two roles share. (-s flag)
  • Lists permissions for a given role or list of roles. (supports 1 + N roles). (-l flag)
  • Or can do all of the above at once. (-a flag)

In order to determine what permissions a role has we need some type of role -> permission lookup. We have a roles database via a different project gcp_iam_update_bot which keeps an up to date list of all GCP IAM roles and their permissions (refreshes every 12 hours).

Before any role analysis takes place the script will look for the roles/ directory and prompt you to download it if it does not exist:

./gcp-iam-analyzer.py -d vpcaccess.admin vpcaccess.viewer
ERROR:"roles" folder does not exist. This is required for analysis.
Do you want to download the "roles" folder now? y/n

You update your local roles database at anytime via ./gcp-iam-analyzer.py -r.

Permissions Analysis

  • Will calculate which IAM roles have N + 1 IAM permissions. This is useful if you'd like to know which roles share similar permissions. (-p flag)

Usage

./gcp-iam-analyzer.py --help
usage: gcp-iam-analyzer.py [-h] [-d ROLES [ROLES ...]] [-s ROLES [ROLES ...]] [-a ROLES [ROLES ...]]
                           [-l ROLES [ROLES ...]] [-p PERM [PERM ...]] [-r]

Compares GCP IAM roles and outputs analysis.

optional arguments:
  -h, --help            show this help message and exit
  -d ROLES [ROLES ...], --diff ROLES [ROLES ...]
                        Compares roles and outputs the permissions difference.
  -s ROLES [ROLES ...], --shared ROLES [ROLES ...]
                        Compares roles and outputs the shared permissions.
  -a ROLES [ROLES ...], --all ROLES [ROLES ...]
                        Compares roles and outputs the differences and the shared permissins.
  -l ROLES [ROLES ...], --list ROLES [ROLES ...]
                        Lists permissions for role(s).
  -p PERM [PERM ...], --perm PERM [PERM ...]
                        Lists roles which contain a specific permission.
  -r, --refresh         Refreshes the local "roles" folder

Example

Let's say we have a user in GCP that has the vpcaccess.admin role and you want to find out how many permissions they would "lose" if they were assigned the vpcaccess.viewer role.

./gcp-iam-analyzer.py -d vpcaccess.viewer vpcaccess.admin

Role "vpcaccess.viewer" differences:
'N/A'
Role "vpcaccess.admin" differences:
'vpcaccess.connectors.delete'
'vpcaccess.connectors.create'
'vpcaccess.connectors.use'

The above output shows that by assigning the vpcaccess.viewer role and removing the vpcaccess.admin role the user would lose:

'vpcaccess.connectors.create',
'vpcaccess.connectors.delete',
'vpcaccess.connectors.use'

Feedback

Feel free to open an issue if you encounter a bug or reach out via twitter @jasonadyke

About

Compares and analyzes GCP IAM roles.

Resources

Readme

License

View license
Activity

Stars

76 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages