Add feature to detect GCP SAs with DWD permissions #306

[SimardeepSingh-zsh]

GCP Service Account DWD Detector

This repository contains a script for detecting Google Cloud Platform (GCP) Service Accounts (SA) with Domain-Wide Delegation (DWD) permissions.

Changes Made

• Added a Python script dwd_sa_detector.py that checks for DWD permissions in GCP SAs and flags any that are found. This script uses the google-auth and google-auth-httplib2 libraries to authenticate and create a service client. It then lists all the service accounts in the project and checks if they have the roles/iam.serviceAccountTokenCreator role, which is one of the roles that enables DWD.

• The script logs the details of the service accounts with DWD permissions into a file named dwd_sa_details.txt. This could be useful for auditing or further analysis.

Installation

You need to install the necessary libraries using pip:

pip install --upgrade google-auth google-auth-httplib2 google-auth-oauthlib google-api-python-client

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[mshudrak]

Please accept Google's CLA in order for me to review code.

[mshudrak]

Closing given it is not DWD and a standalone script.