In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).
Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?
This is needed to answer questions like:
You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.
To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):
gcloud asset search-all-iam-policies --scope=projects/123
Who has the role Owner in my org?
gcloud asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"
Who can change project IAM policies in my org?
--query='policy.role.permissions:resourcemanager.projects.setIamPolicy'
Which roles does an account has?
--query="policy:[email protected]"
Which resources are shared publicly?
--query="policy:(allUsers OR allAuthenticatedUsers)"
Are there deleted accounts in policies?
--query="policy:deleted"
Does [email protected] appear in any policy?
--query="policy:[email protected]"
Does [email protected] have the Owner role?
--query="policy:(roles/owner [email protected])"
How to find all the IAM policies for a given resource type (e.g., projects)?
--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"
Is there any gmail account having the role Owner?
`--query="policy:(roles/owner *gmail*)"
You can change the scope to a folder or a project.
To use the command, you must:
Enable Cloud Asset API, and
Have cloudasset.assets.searchAllIamPolicies
permission upon the scope, which is included in these roles:
Documentation: