Closed SimardeepSingh-zsh closed 5 months ago
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
Please accept Google's CLA in order for me to review code.
Closing given it is not DWD and a standalone script.
GCP Service Account DWD Detector
This repository contains a script for detecting Google Cloud Platform (GCP) Service Accounts (SA) with Domain-Wide Delegation (DWD) permissions.
Changes Made
Added a Python script
dwd_sa_detector.py
that checks for DWD permissions in GCP SAs and flags any that are found. This script uses thegoogle-auth
andgoogle-auth-httplib2
libraries to authenticate and create a service client. It then lists all the service accounts in the project and checks if they have theroles/iam.serviceAccountTokenCreator
role, which is one of the roles that enables DWD.The script logs the details of the service accounts with DWD permissions into a file named
dwd_sa_details.txt
. This could be useful for auditing or further analysis.Installation
You need to install the necessary libraries using pip: