search

prancer-io / cloud-validation-framework

prancer platform is an IaC Security engine + Continuous Compliance for your cloud (Azure, AWS, GCP) and Kubernetes environment
https://www.prancer.io
Mozilla Public License 2.0
121 stars 29 forks source link

Low Priority GCP Feature Request: Generate a custom snapshot with users/service accounts with all assigned roles #705

Open rezoan opened 1 year ago

rezoan commented 1 year ago

Currently GCP don't have any API endpoint which return list of users/service accounts with all assigned roles to it, instead it has API endpoint to list all roles with assigned users to it.

Writing policy is hard/requires more processing where we need to check overprivileged role assignment for specific user/service accounts, as it requires multiple role assignment check for single user.

Suggestion/Steps to create the custom snapshot which will contain list of users/service accounts with all assigned roles to it :

API endpoint at https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy returns the list of roles with assigned users to it.

{
  "version": 1,
  "etag": "BwYBcR2EiGI=",
  "bindings": [
    {
      "role": "roles/iam.serviceAccountAdmin",
      "members": [
        "serviceAccount:service-784490704435@gcp-sa-firestore.iam.gserviceaccount.com",
        "user:rezoan@gmail.com"
      ]
    },
    {
      "role": "roles/iam.serviceAccountTokenCreator",
      "members": [
        "serviceAccount:firebase-adminsdk-wxugx@resonant-grail-134310.iam.gserviceaccount.com",
        "user:rezoan@gmail.com"
      ]
    },
    {
      "role": "roles/owner",
      "members": [
        "user:r4redu@gmail.com"
      ]
    }
  ]
}

I am requesting to generate another custom snapshot out of previous one as follow. we will need both snapshots for different purpose:

{
  "version": 1,
  "etag": "BwYBcR2EiGI=",
  "bindings": [
    {
      "member": "serviceAccount:service-784490704435@gcp-sa-firestore.iam.gserviceaccount.com",
      "roles": [
        "roles/iam.serviceAccountAdmin"
      ]
    },
    {
      "member": "user:rezoan@gmail.com",
      "roles": [
        "roles/iam.serviceAccountAdmin",
        "roles/iam.serviceAccountTokenCreator"
      ]
    },
    {
      "member": "serviceAccount:firebase-adminsdk-wxugx@resonant-grail-134310.iam.gserviceaccount.com",
      "roles": [
        "roles/iam.serviceAccountTokenCreator"
      ]
    },
    {
      "member": "user:r4redu@gmail.com",
      "roles": [
        "roles/owner"
      ]
    }
  ]
}