I am trying to understand my options for creating a report in GCP to identify individual user accounts assigned to resources (Org, Folders, projects, Billing Accounts, VPC) inside of my GCP Resource Hierarchy. I would assume this question has been answered but I am unable to find any information on this.
Please let me know if this is the correct forum to ask this type of question or if I need to put this question in one of the other forums.
Thank you
This is actually complicated to do in Google Cloud.
There are two areas that you want to track. IAM members and IAM members assigned to resources.
There are a number of IAM member types: users, services accounts, groups, G Suite domains, Cloud Identity domains.
Some resources can be assigned IAM members. An example would be for impersonation or ActAs. You will need to scan every resource that supports member assignment.
To add to this there are assigned members and inherited members.
Then there are organizations, folders and projects.
If your goal is to simply create a report for auditing, buy a commercial product or service. There are many to choose from.
If your goal is to develop a deeper understanding of Google IAM, resources, roles and permissions, select your favorite language and dig into the Google Cloud SDK and the Google Cloud CLI gcloud.
The asset command of the gcloud command line tool can be used to gather the data you are looking for. Before starting, ensure that you have the correct IAM permissions to view assets. If you have multiple projects under one org, this command can gather all IAM policies from the org and all projects in the org's hierarchy:
gcloud asset export --content-type iam-policy --organization your-org-id \
--output-path gs://your-secure-bucket/your-policy-audit
The policy file is saved as a text file to a Google Cloud Storage bucket. The file consists of multiple JSON objects, one per line. You'll still have to process the IAM file to extract the users.
Related
I have some experience with AWS and an AWS Developer Associate certification. I have been told that I am being moved to a project where I will be using GCP. How easy/hard would it be to learn GCP with AWS experience? Alternatively, how can I facilitate my entry into GCP with an AWS background?
The fundamentals are similar in AWS, GC and Azure, although the terminology is different. There are differences of course (for example, subnets in GC are regional whereas in AWS they're in AZs) but they're easy not too difficult to understand once you get into it.
There's a course by Google in Coursera, which is designed for people familiar with AWS - https://www.coursera.org/learn/gcp-fundamentals-aws
The GC learning resources should also help - https://cloud.google.com/training?hl=en
I think the main difference between AWS and GCP is how projects are managed. I'm referring to Identity and Access Management (IAM) and Resource Manager. In GCP you manage projects in a hierarchical way, using an approach called Resource Hierarchy.
In GCP you always have an Organization, a Project and resources. You might also have Folders. In GCP, basically everything is a resource (like in a REST API). All GCP resources belong to a project, and an individual GCP account can manage multiple projects.
You can manage each GCP project individually, or you can group related projects into folders and manage them from there, or even manage everything from the top-level GCP Organization.
By managing, I mean applying policies: what this resource can do, which accounts can use it.
GCP accounts are sometimes called IAM principals. An IAM principle can be a user account, a Google group (i.e. a bunch of user accounts), a service account (i.e. an account assigned to a program).
The relationship between 1 resource (e.g. a GCP project) and N IAM principals (e.g. 2 user accounts, 1 service account) that have that set of privileges is called IAM binding. A IAM policy is a set of IAM bindings.
As for the services AWS, Azure and GCP offer, there is this nice comparison chart.
So to recap, focus on learning IAM and resource hierarchy first. You will need it whatever GCP service you will end up using.
I have two service-accounts for GCP and would like to use them for authentication in same project that I am working on. Both are required to access different storage services. Is that possible?
Only user-managed service accounts can be attached to an instance, and an instance can have only one attached service account. You can change the service account that is attached to an instance at creation time or later on
. to read more about service account you can refer to this
enter link description here
The short answer for GCP projects is yes, you can use two user-managed service accounts on the same project, but for the particular case of Google Cloud Storage, you must use Service agents.
Please read this guide to be aware of the Organization policy constraints for Cloud Storage.
Merely as an example, if you want to let your application's service account access objects in a Cloud Storage bucket, you can grant the service account the Storage Object Viewer role roles/storage.objectViewer on the bucket. You can follow this guide to manage the access to service accounts.
Could you please share your thoughts about this question?
You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?
A. Give project owner for web-applications appropriate roles to crm-databases-proj.
B. Give project owner role to crm-databases-proj and the web-applications project.
C. Give project owner role to crm-databases-proj and bigquery.dataViewer role to web-applications.
D. Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-applications.
Here is the discussion thread.
As suggested by guillaume, and outlined in public documentation, basic roles (including Owner) should not be used in production environment:
Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.
Therefore, D is the correct answer.
How to pull the list of IAM users from google cloud along with their last activity??
Tried "gcloud projects get-iam-policy"
but it gives only list of iam users/members but not their last activity
Ok, if it's for company, you have this information in the Google Cloud Identity platform. You can log in here: https://admin.google.com
Go to users and boom
Of course you can request these values by API with the admin sdk
It works only for managed accounts. If you have unmanaged account (in gmail.com or from another company) you don't have access to this information.
EDIT 1
To track the service account activity, you can rely on the documentation. Cloud Monitoring allow you to do that. If you need to export the data to BigQuery for analytics for example, let me know I could help on that.
To know the privilege that the users have, you can rely on the Asset Inventory, and especially on the IAM search policy feature.
I am doing a quick inventory of our service accounts within a particular GCP project and I want to find all the resources a specific service account has access to. This seems like it'd be a simple lookup, since a GCP policy is simply an Identity given a role on a particular resouce, however it doesn't seem like gcloud has this specific lookup... unless I'm missing something. I can find the service account/role combination via IAM or gcloud beta asset search-all-iam-policies but the final portion of the query seems to be missing.
To find all the resources authorized for a specific account, using the Cloud Asset Inventory is the good tool.
You can perform this kind of request
gcloud beta asset search-all-iam-policies \
--scope=<Where to search>
--query="policy:<who to search>"
The scope is in which perimeter you are looking for. It can be
organizations/<OrganisationNumber>
folders/<folderNumber>
projects/<ProjectNumber or ProjectID>
The query is what you search. Here a policy with a specific service account email. So, set it and launch the request.
Does it what you are looking for?