Currently GCP don't have any API endpoint which return list of users/service accounts with all assigned roles to it, instead it has API endpoint to list all roles with assigned users to it.
Writing policy is hard/requires more processing where we need to check overprivileged role assignment for specific user/service accounts, as it requires multiple role assignment check for single user.
Suggestion/Steps to create the custom snapshot which will contain list of users/service accounts with all assigned roles to it :
Currently GCP don't have any API endpoint which return list of users/service accounts with all assigned roles to it, instead it has API endpoint to list all roles with assigned users to it.
Writing policy is hard/requires more processing where we need to check overprivileged role assignment for specific user/service accounts, as it requires multiple role assignment check for single user.
Suggestion/Steps to create the custom snapshot which will contain list of users/service accounts with all assigned roles to it :
API endpoint at https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy returns the list of roles with assigned users to it.
I am requesting to generate another custom snapshot out of previous one as follow. we will need both snapshots for different purpose: