We have a scenario where in our gcp projects we have several iam users with different email id domains apart from @gmail.com ,now we need to restrict this to only giving access to @gmail.com users.
first we need to identify all existing non-@gmail.com users from our projects and remove them.
we use below filter for identifying all @gmail.com users from iam-users.
gcloud projects get-iam-policy <project id> --flatten="bindings[].members" --format="table(bindings.members)" --filter="@gmail.com"
similarly we need to filter out all the iam users with other email domains in our projects
you can't negate the filter. You need to get all the members and to remove the gmail.com with a grep -v
# With IAM on project
gcloud projects get-iam-policy <project id> --flatten="bindings[].members" --format="table(bindings.members)" | sort | uniq | grep -v gmail.com
# With asset inventory
gcloud asset search-all-iam-policies --flatten="policy.bindings[].members" --format="table(policy.bindings.members)" | sort | uniq | grep -v gmail.com
Asset inventory is great because it also find the accounts granted at resource level and not only at the project level. All depends on what you need.