### Example Permission: IAM Roles Get Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Illustrates viewing IAM role definitions. ```text iam.roles.get ``` -------------------------------- ### Example Permission: Resource Manager Projects Get Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Illustrates viewing project details using the Resource Manager API. ```text resourcemanager.projects.get ``` -------------------------------- ### Example Permission: GKE Clusters Get Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Illustrates viewing details of a Google Kubernetes Engine cluster. ```text container.clusters.get ``` -------------------------------- ### Setup Google Cloud SDK in GitHub Actions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md Configures the gcloud CLI with GCP authentication using a service account key. Installs the gcloud SDK and authenticates using the provided secret. ```yaml - uses: google-github-actions/setup-gcloud@v0 with: version: 'latest' service_account_key: ${{ secrets.GCP_SA_KEY }} ``` -------------------------------- ### Example Permission: Compute Instances Create Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Illustrates the creation of a Compute Engine instance. ```text compute.instances.create ``` -------------------------------- ### Example Permission: Cloud Storage Buckets List Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Illustrates listing Cloud Storage buckets. ```text storage.buckets.list ``` -------------------------------- ### Example: Viewer Role (Minimal Permissions) Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md This example defines a 'roles/viewer' role, which allows viewing most Google Cloud resources. It includes a minimal set of read-only permissions. ```json { "name": "roles/viewer", "title": "Viewer", "description": "View most Google Cloud resources.", "stage": "GA", "includedPermissions": [ "accessapproval.requests.get", "accessapproval.requests.list", "compute.instances.list", "storage.buckets.get", "storage.buckets.list" ], "etag": "AA==" } ``` -------------------------------- ### Example Release Names Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md Provides examples of how GitHub releases are named, incorporating the date, time (UTC), and an optional sequence number for clarity. ```text v20240617.0044 - Released June 17, 2024 at 00:44 UTC v20240617.1244 - Released June 17, 2024 at 12:44 UTC ``` -------------------------------- ### Install jq Package Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Installs the 'jq' command-line JSON processor. Required for processing JSON files. ```bash apt-get install jq ``` ```bash brew install jq ``` -------------------------------- ### Clone Repository and Initial Setup Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Clone the repository, navigate to the directory, and fetch role data. Ensure you have gcloud CLI and GCP credentials configured. ```bash # Clone the repository git clone https://github.com/darkbitio/gcp-iam-role-permissions.git cd gcp-iam-role-permissions # Ensure roles are fetched (if not already populated) ./fetch-all-roles.sh # Requires gcloud CLI and GCP credentials # Verify installation ./list-all-permissions.sh | head -5 ``` -------------------------------- ### Setup Cron Job for Continuous Role Monitoring Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md This example demonstrates how to set up a cron job to periodically track changes in GCP IAM roles. It compares the current roles with the previous state and sends an email notification if changes are detected. ```bash # Setup cron job to track role changes cat > /etc/cron.d/gcp-role-audit << 'EOF' 0 2 * * * cd /path/to/gcp-iam-role-permissions && \ ./export-all-roles-to-cai.sh > /tmp/roles_current.json && \ diff /tmp/roles_previous.json /tmp/roles_current.json | \ mail -s "GCP Role Changes" admin@company.com && \ mv /tmp/roles_current.json /tmp/roles_previous.json EOF ``` -------------------------------- ### Example: Alpha-Stage Role Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md This example shows an 'ALPHA' stage role for an alpha-stage feature. It includes a single permission and notes that the role may change or be removed. ```json { "name": "roles/some.alpha.role", "title": "Alpha Feature Admin", "description": "Administrative access to an alpha-stage feature. This role may change or be removed.", "stage": "ALPHA", "includedPermissions": [ "alphafeature.resource.manage" ], "etag": "AA==" } ``` -------------------------------- ### Example: Container Admin Role Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md This example demonstrates a 'roles/container.admin' role, which grants full management of Kubernetes Clusters. It is marked as Generally Available (GA). ```json { "name": "roles/container.admin", "title": "Kubernetes Engine Admin", "description": "Full management of Kubernetes Clusters and their Kubernetes API objects.", "stage": "GA", "includedPermissions": [ "container.apiServices.create", "container.apiServices.delete", "container.apiServices.get", "container.clusters.create", "container.clusters.delete", "container.pods.create", "container.pods.delete" ], "etag": "AA==" } ``` -------------------------------- ### GCP IAM Permission String Format Examples Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Illustrates the standard format for GCP IAM permissions, which follows a 'service.resource.verb' pattern. ```text service.resource.verb Examples: compute.instances.create container.clusters.get storage.buckets.list iam.roles.setIamPolicy ``` -------------------------------- ### Compute Engine Instance Listing Permission Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of a permission string for listing Compute Engine VM instances. This follows the standard service.resource.verb format. ```text compute.instances.list ``` -------------------------------- ### IAM Role Included Permissions Example Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md An example of the 'includedPermissions' field, which is an array of strings. Each string represents a specific IAM permission granted by the role. ```json ["container.clusters.create", "container.clusters.delete", "container.pods.create"] ``` -------------------------------- ### IAM Role File Organization Example Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Illustrates the directory structure for storing IAM role definition files. Each file corresponds to a single IAM role and is named after the role identifier. ```tree roles/ ├── accessapproval.admin (file name = role name without "roles/" prefix) ├── accessapproval.approver ├── container.admin ├── container.developer ├── compute.admin ├── compute.instanceAdmin ├── compute.viewer ├── ... (2,340 role files total) ├── viewer └── ... (alphabetically ordered by role name) ``` -------------------------------- ### Example Cloud Asset Inventory Role Document Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md This is an example of a single role document exported in Newline-Delimited JSON (NDJSON) format. It includes standard role fields and the required 'asset_type' for CAI. ```json {"name":"roles/accessapproval.admin","title":"Access Approval Admin","description":"Admin role for Access Approval","stage":"GA","includedPermissions":["accessapproval.requests.approve","accessapproval.requests.dismiss","accessapproval.requests.get","accessapproval.requests.invalidate","accessapproval.requests.list","accessapproval.serviceAccounts.get","accessapproval.settings.delete","accessapproval.settings.get","accessapproval.settings.update","resourcemanager.projects.get","resourcemanager.projects.list"],"etag":"AA==","asset_type":"iam.googleapis.com/ExportedIAMRole"} ``` -------------------------------- ### List All Permissions and Filter by Prefix Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all available GCP IAM permissions and filters them to find those starting with 'compute.'. This is useful for identifying specific permission groups. ```bash # Find all permissions starting with 'compute' ./list-all-permissions.sh | grep "^compute\." ``` -------------------------------- ### Find Roles Granting Container Creation Permission Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists GCP IAM roles that grant the 'container.clusters.create' permission. This is an example of using `list-roles-with-permission.sh`. ```bash # Find all roles that grant container cluster creation ./list-roles-with-permission.sh container.clusters.create ``` -------------------------------- ### Kubernetes Role Escalation Permission Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of a permission string for allowing role escalation in Kubernetes. This follows the standard service.resource.verb format. ```text container.roles.escalate ``` -------------------------------- ### Typical Workflow Execution Output Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md Shows the console output expected during the execution of the GitHub Actions workflow, including repository checkout, SDK setup, role fetching, and release creation. ```text Run checkout repo Syncing repository: darkbitio/gcp-iam-role-permissions ... Setup gcloud SDK Installing latest gcloud SDK version ... Fetch all IAM roles mkdir -p roles Listing all roles... Describing roles/accessapproval.admin ...done. Describing roles/container.admin ...done. ... Commit and release [main abc1234] Update IAM roles Creating release v20240617.1244 ... Workflow completed successfully ``` -------------------------------- ### Cloud Storage Bucket Viewing Permission Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of a permission string for viewing a Cloud Storage bucket. This follows the standard service.resource.verb format. ```text storage.buckets.get ``` -------------------------------- ### List all unique permissions from GCP IAM roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/README.md This script extracts all unique permissions from all fetched GCP IAM roles. Ensure `jq` is installed and available in your PATH. ```bash ./list-all-permissions.sh ``` -------------------------------- ### Query Roles in BigQuery Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Example BigQuery SQL query to retrieve role names and the count of their included permissions, filtering for 'GA' stage roles. ```sql SELECT name, ARRAY_LENGTH(includedPermissions) as perms FROM `project.dataset.Roles` WHERE stage='GA' LIMIT 10 ``` -------------------------------- ### Fetch All GCP IAM Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md This script fetches all IAM roles for a configured GCP project and saves their descriptions to individual JSON files in the `roles/` directory. Ensure the gcloud CLI is installed, configured with credentials, and has the necessary IAM permissions. ```bash # Fetch roles using configured GCP project ./fetch-all-roles.sh ``` ```bash # Fetch roles for a specific project gcloud config set project my-project ./fetch-all-roles.sh ``` ```bash # Check progress ./fetch-all-roles.sh 2>&1 | tail -20 ``` ```bash #!/usr/bin/env bash mkdir -p roles rm -f roles/* for i in $(gcloud iam roles list --filter='etag:AA==' --format json | jq -r '.[].name'); do echo -n "Describing ${i} ..." gcloud iam roles describe "${i}" --format json > "${i}" echo "done." done ``` -------------------------------- ### Container Developer Role Example Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md This JSON defines the 'Kubernetes Engine Developer' role, allowing users to create and manage Kubernetes clusters and their workloads. It includes permissions for listing and managing deployments and pods. ```json { "name": "roles/container.developer", "title": "Kubernetes Engine Developer", "description": "Create and manage Kubernetes clusters and their workloads.", "stage": "GA", "includedPermissions": [ "container.apiServices.list", "container.clusters.getCredentials", "container.deployments.create", "container.deployments.delete", "container.deployments.list", "container.pods.create", "container.pods.delete", "container.pods.list" ], "etag": "AA==" } ``` -------------------------------- ### List Roles and Filter Container Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all Google Cloud IAM roles and filters them to find those that grant container-related permissions. Reads each role from standard input and checks for permissions starting with 'container.'. ```bash # List all GA roles and find those with container permissions ./list-ga-roles.sh | while read role; do if ./list-permissions-of-role.sh "${role#roles/}" | grep -q "^container\."; then echo "$role has container permissions" fi done ``` -------------------------------- ### Custom Log Viewer Role Example Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md This JSON defines a custom 'Log Viewer' role with minimal permissions, specifically allowing only the listing of log entries. This is useful for granting read-only access to logs without broader permissions. ```json { "name": "roles/custom.logViewer", "title": "Log Viewer", "description": "View logs only.", "stage": "GA", "includedPermissions": [ "logging.logEntries.list" ], "etag": "AA==" } ``` -------------------------------- ### Query IAM Roles in BigQuery Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Analyze exported IAM role data stored in BigQuery using SQL. Examples include listing roles by stage, finding roles with specific permissions, counting permissions per service, and identifying roles with IAM policy management capabilities. ```sql -- List all GA roles SELECT name, title, ARRAY_LENGTH(includedPermissions) as permission_count FROM `project.gcp_iam_roles.ExportedIAMRole` WHERE stage = 'GA' ORDER BY permission_count DESC; -- Find roles with specific permission SELECT name, title, stage FROM `project.gcp_iam_roles.ExportedIAMRole` WHERE ARRAY_CONTAINS(includedPermissions, 'container.clusters.create') ORDER BY stage; -- Count permissions per service SELECT SPLIT(perm, '.')[OFFSET(0)] as service, COUNT(DISTINCT perm) as permission_count FROM `project.gcp_iam_roles.ExportedIAMRole`, UNNEST(includedPermissions) as perm GROUP BY service ORDER BY permission_count DESC; -- Find roles with IAM policy management permissions SELECT name, title FROM `project.gcp_iam_roles.ExportedIAMRole` WHERE EXISTS ( SELECT 1 FROM UNNEST(includedPermissions) as perm WHERE perm LIKE '%.setIamPolicy' ) ORDER BY name; ``` -------------------------------- ### Fetch All Roles Data Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Populates the 'roles/' directory with role data. Run this if the directory appears empty. ```bash ./fetch-all-roles.sh ``` -------------------------------- ### List Compute Engine Permissions and Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Demonstrates listing all compute-related permissions, finding compute roles, and identifying permissions for managing VM instances. ```bash # List all compute-related permissions ./list-all-permissions.sh | grep "^compute\." | wc -l # Output: ~150 # Find all compute roles ./export-all-roles-to-cai.sh | jq -r '.name' | grep "compute\." # What's needed to manage VM instances? ./list-all-permissions.sh | grep "^compute\.instances\." ``` -------------------------------- ### List Cloud Storage Roles and Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Demonstrates listing storage-related roles, identifying who can delete buckets, and counting storage permissions. ```bash # Storage-related roles ./export-all-roles-to-cai.sh | jq -r '.name' | grep "storage\." # Who can delete buckets? ./list-roles-with-permission.sh storage.buckets.delete # Storage permissions count ./list-permissions-of-role.sh storage.admin | wc -l # Output: ~100+ ``` -------------------------------- ### List GKE Roles and Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Shows how to find GKE-related roles, permissions for managing clusters, and roles that can grant cluster credentials. ```bash # GKE-related roles ./export-all-roles-to-cai.sh | jq -r '.name' | grep "container\." # Permissions for managing clusters ./list-permissions-of-role.sh container.admin | grep "clusters" | head -10 # Roles that can get cluster credentials (dangerous) ./list-roles-with-permission.sh container.clusters.getCredentials ``` -------------------------------- ### Get Included Permissions in Bash Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Retrieves and stores the included permissions of a role into a bash variable using 'cat' and 'jq'. ```bash perms=$(cat roles/container.admin | jq '.includedPermissions[]') ``` -------------------------------- ### Extract All Role Names Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Extracts all role names from the exported data. This is useful for getting a simple list of available roles. ```bash ./export-all-roles-to-cai.sh | jq -r '.name' ``` -------------------------------- ### Find Production Compute Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Finds and lists all generally available GCP IAM roles that have identifiers starting with 'roles/compute.'. ```bash # Find all production compute roles ./list-ga-roles.sh | grep "^roles/compute\." ``` -------------------------------- ### Querying BETA IAM Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md These bash commands show how to list, count, and analyze Public Preview (BETA) IAM roles, including filtering by permission set size. ```bash # List all BETA roles ./list-beta-roles.sh ``` ```bash # Count BETA roles ./list-beta-roles.sh | wc -l ``` ```bash # Find BETA roles and their permissions ./list-beta-roles.sh | while read role; do echo "$role:" ./list-permissions-of-role.sh "${role#roles/}" | wc -l done ``` ```bash # Export BETA roles with large permission sets ./export-all-roles-to-cai.sh | jq 'select(.stage=="BETA" and (.includedPermissions|length)>100)' ``` -------------------------------- ### List Beta Roles Utility Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Shell script to list GCP IAM roles that are currently in the BETA stage. ```bash #!/bin/bash # List roles in BETA stage # ... implementation details ... ``` -------------------------------- ### Extract All Unique Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Extracts all individual permissions from all roles and then sorts them uniquely. This helps in identifying all possible permissions across your IAM setup. ```bash ./export-all-roles-to-cai.sh | jq -r '.includedPermissions[]' | sort -u ``` -------------------------------- ### list-beta-roles.sh Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all roles currently in BETA (public preview) lifecycle stage. It filters roles based on the `stage` field and outputs their identifiers. ```APIDOC ## list-beta-roles.sh ### Description Lists all roles currently in BETA (public preview) lifecycle stage. ### Signature ```bash ./list-beta-roles.sh ``` ### Parameters None. ### Return Type Standard output: one role identifier per line (format: `roles/{role-name}`). ### Behavior - Sources `lib/helper.sh` to validate the `roles/` directory - Concatenates all role JSON files - Filters for entries where `stage` field equals `"BETA"` - Outputs full role identifiers (`name` field) - One role per line, in order encountered ### Exit Status - `0` on success - `1` if `roles/` directory is empty or missing ### Example Usage ```bash # Count beta roles ./list-beta-roles.sh | wc -l # Find beta roles for a specific service ./list-beta-roles.sh | grep "^roles/compute\." ``` ### Source Location **File**: `list-beta-roles.sh` ```bash #!/usr/bin/env bash source ./lib/helper.sh cat roles/* | jq -r 'select(.stage!=null and .stage=="BETA") | "\(.name)"' ``` ``` -------------------------------- ### Track BETA to GA Role Transitions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md This script helps monitor when Beta roles graduate to General Availability (GA). It lists Beta roles and counts new ones added since the last check. ```bash # Track when BETA roles graduate to GA ./list-beta-roles.sh | sort > beta_roles_today.txt git diff beta_roles_*.txt | grep "^>" | wc -l # Count new BETA roles ``` -------------------------------- ### Project Directory Structure Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Illustrates the organization of files and directories within the project, including role definitions, utility scripts, and aggregated exports. ```text gcp-iam-role-permissions/ ├── roles/ # 2,340 JSON files, one per role │ ├── accessapproval.admin │ ├── container.admin │ └── ... (one file per role) ├── lib/ │ └── helper.sh # Shared utilities ├── fetch-all-roles.sh # Main data fetcher ├── list-*.sh # Query utilities └── gcp_roles_cai.json # Aggregated export for CAI ``` -------------------------------- ### Create BigQuery Dataset Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Use the bq command-line tool to create a BigQuery dataset for storing IAM role data. Specify the dataset location and a description. ```bash bq mk --dataset \ --location=US \ --description="GCP IAM Roles" \ gcp_iam_roles ``` -------------------------------- ### Get Top 10 Most Permissive Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Sorts all roles by the number of permissions in descending order and returns the top 10. This helps identify the most comprehensive roles. ```bash ./export-all-roles-to-cai.sh | jq -s 'sort_by(.includedPermissions|length) | reverse | .[0:10]' ``` -------------------------------- ### Create Cloud Storage Bucket Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Use gsutil to create a Cloud Storage bucket for storing exported assets. Ensure the bucket name is unique. ```bash gsutil mb gs://your-bucket-for-cai-imports ``` -------------------------------- ### Read and Query Raw Role JSON Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Demonstrates reading raw role JSON files and querying specific fields using 'jq'. ```bash # Read raw JSON cat roles/container.admin | jq . ``` ```bash # Direct permission query cat roles/container.admin | jq '.includedPermissions[]' ``` -------------------------------- ### Access Approval Request Approval Permission Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of a permission string for approving access requests within the Access Approval service. This follows the standard service.resource.verb format. ```text accessapproval.requests.approve ``` -------------------------------- ### Verify No Non-GA Roles in Production Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md This script checks if any non-Generally Available (GA) IAM roles are being used in a production project. It requires the `gcloud` CLI and `jq` to be installed and configured. ```bash # Verify no non-GA roles are used in production PROD_PROJECT="production-project" gcloud projects get-iam-policy "$PROD_PROJECT" | \ grep 'roles/' | jq -r '.role' | while read role; do stage=$(./export-all-roles-to-cai.sh | jq "select(.name==\"$role\") | .stage" -r) if [ "$stage" != "GA" ]; then echo "FAIL: Non-GA role in production: $role (stage: $stage)" fi done ``` -------------------------------- ### Export Permissions by Service Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Extracts the service name from each permission (e.g., 'compute' from 'compute.instances.create') and outputs a unique, sorted list of services to 'services.txt'. ```bash # Export permissions by service ./list-all-permissions.sh | cut -d. -f1 | sort -u > services.txt ``` -------------------------------- ### List All Available Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Executes a script to list all unique IAM permissions available within the project's dataset. This script requires the `list-all-permissions.sh` to be executable. ```bash # List all available permissions ./list-all-permissions.sh ``` -------------------------------- ### Extract Role Name using jq Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/TYPES.md Extracts the 'name' field (role identifier) from role JSON files using jq. Ensure jq is installed and role files are available. ```bash # Extract role name (string) cat roles/* | jq -r '.name' ``` -------------------------------- ### View Minimal Storage Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Displays the minimal set of permissions required for the 'storage.objectViewer' role. ```bash # Minimal storage permissions needed ./list-permissions-of-role.sh storage.objectViewer ``` -------------------------------- ### List Alpha Roles Utility Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Shell script to list GCP IAM roles that are currently in the ALPHA stage. ```bash #!/bin/bash # List roles in ALPHA stage # ... implementation details ... ``` -------------------------------- ### Querying GA IAM Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md These bash commands demonstrate how to list, count, filter, and export Generally Available (GA) IAM roles using provided scripts and `jq`. ```bash # List all GA roles ./list-ga-roles.sh ``` ```bash # Count GA roles ./list-ga-roles.sh | wc -l # Typical output: ~1,800+ roles ``` ```bash # Find GA roles for specific service ./list-ga-roles.sh | grep "^roles/compute\." ``` ```bash # Export only GA roles ./export-all-roles-to-cai.sh | jq 'select(.stage=="GA")' ``` -------------------------------- ### List permissions of a specific GCP IAM role Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/README.md This script lists all permissions associated with a given GCP IAM role. Provide the role name as an argument, for example, `container.admin` (without the `roles/` prefix). ```bash ./list-permissions-of-role.sh ``` -------------------------------- ### List Permissions and Filter by Keyword Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all GCP IAM permissions and filters them for those containing the keyword 'admin'. It then counts the number of roles associated with each 'admin' permission. ```bash # Find roles that grant admin-like permissions ./list-all-permissions.sh | grep "admin" | while read perm; do roles=$(./list-roles-with-permission.sh "$perm" | wc -l) echo "$perm: $roles roles" done ``` -------------------------------- ### list-alpha-roles.sh Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all roles currently in ALPHA (early preview) lifecycle stage. It filters roles based on the `stage` field and outputs their identifiers. ```APIDOC ## list-alpha-roles.sh ### Description Lists all roles currently in ALPHA (early preview) lifecycle stage. ### Signature ```bash ./list-alpha-roles.sh ``` ### Parameters None. ### Return Type Standard output: one role identifier per line (format: `roles/{role-name}`). ### Behavior - Sources `lib/helper.sh` to validate the `roles/` directory - Concatenates all role JSON files - Filters for entries where `stage` field equals `"ALPHA"` - Outputs full role identifiers (`name` field) - One role per line, in order encountered ### Exit Status - `0` on success - `1` if `roles/` directory is empty or missing ### Example Usage ```bash # Count alpha roles ./list-alpha-roles.sh | wc -l # List first 5 alpha roles ./list-alpha-roles.sh | head -5 # Export to file ./list-alpha-roles.sh > alpha_roles.txt # Combine with other tools ./list-alpha-roles.sh | while read role; do permissions=$(./list-permissions-of-role.sh "${role#roles/}") echo "$role: $permissions" done ``` ### Source Location **File**: `list-alpha-roles.sh` ```bash #!/usr/bin/env bash source ./lib/helper.sh cat roles/* | jq -r 'select(.stage!=null and .stage=="ALPHA") | "\(.name)"' ``` ``` -------------------------------- ### Find Roles for Compute Instance Creation Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Identifies roles that grant the specific permission to create Compute Engine instances. ```bash # Which roles grant instance creation? ./list-roles-with-permission.sh compute.instances.create ``` -------------------------------- ### GCP Primitive Role Data Format Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of the data structure for a deprecated primitive GCP role like 'Viewer'. This format includes the role name, title, description, stage, included permissions, and an etag. ```json { "name": "roles/viewer", "title": "Viewer", "description": "View most Google Cloud resources.", "stage": "GA", "includedPermissions": [ "accessapproval.requests.get", "accessapproval.requests.list", "compute.instances.list", "storage.buckets.get" ], "etag": "AA==" } ``` -------------------------------- ### Container Admin Role Example Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md This JSON defines the 'Kubernetes Engine Admin' role, granting full management of Kubernetes Clusters and their API objects. It includes permissions for creating, deleting, and managing various container resources. ```json { "name": "roles/container.admin", "title": "Kubernetes Engine Admin", "description": "Full management of Kubernetes Clusters and their Kubernetes API objects.", "stage": "GA", "includedPermissions": [ "container.apiServices.create", "container.apiServices.delete", "container.clusters.create", "container.clusters.delete", "container.clusters.getCredentials", "container.deployments.create", "container.deployments.delete", "container.pods.create", "container.pods.delete", "container.services.create", "container.services.delete" ], "etag": "AA==" } ``` -------------------------------- ### Cache IAM Role Export Results Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md This example shows how to cache the results of an expensive IAM role export operation to avoid redundant calls. It checks the age of a cached file and refreshes it if it's older than an hour before using it. ```bash # Cache expensive operations export_file="./gcp_roles_cai_cache.json" cache_age=$(($(date +%s) - $(stat -c %Y "$export_file" 2>/dev/null || echo 0))) if [ $cache_age -gt 3600 ]; then # Refresh if older than 1 hour ./export-all-roles-to-cai.sh > "$export_file" fi # Use cached version cat "$export_file" | jq 'select(.stage=="GA")' ``` -------------------------------- ### Checkout Repository in GitHub Actions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md Clones the repository into the GitHub Actions runner environment. This is a standard action for setting up the git repository. ```yaml - name: checkout repo uses: actions/checkout@v2 ``` -------------------------------- ### Combine listing alpha roles with permission retrieval Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Iterates through each alpha role, retrieves its permissions using list-permissions-of-role.sh, and prints the role and its permissions. ```bash ./list-alpha-roles.sh | while read role; do permissions=$(./list-permissions-of-role.sh "${role#roles/}") echo "$role: $permissions" done ``` -------------------------------- ### GCP Service-Specific Role Data Format Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_DATA_FORMAT.md Example of the data structure for a service-specific GCP role like 'Kubernetes Engine Admin'. This format outlines the role's name, title, description, stage, included permissions, and etag. ```json { "name": "roles/container.admin", "title": "Kubernetes Engine Admin", "description": "Full management of Kubernetes Clusters and their Kubernetes API objects.", "stage": "GA", "includedPermissions": [ "container.apiServices.create", "container.clusters.create", "container.pods.create" ], "etag": "AA==" } ``` -------------------------------- ### List All Permissions Utility Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Shell script to extract all unique permissions across all defined GCP IAM roles. ```bash #!/bin/bash # List all unique permissions across all roles # ... implementation details ... ``` -------------------------------- ### Compare Compute Editor and Admin Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Compares the permissions granted by the 'compute.admin' role against the 'compute.editor' role, showing permissions unique to the admin role. ```bash # Compare compute editor and admin echo "=== ADMIN ONLY ===" comm -23 \ <(./list-permissions-of-role.sh compute.admin | sort) \ <(./list-permissions-of-role.sh compute.editor | sort) | \ head -10 ``` -------------------------------- ### Run Role Query in Cloud Build Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/API_QUICKREF.md Integrate role querying into your Cloud Build pipelines to check for specific permissions. ```yaml steps: - name: 'gcr.io/cloud-builders/gke-deploy' args: - 'run' - | ./list-roles-with-permission.sh container.clusters.get ``` -------------------------------- ### List GA Roles Utility Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/PROJECT_OVERVIEW.md Shell script to list GCP IAM roles that are generally available (GA). ```bash #!/bin/bash # List roles in GA (generally available) stage # ... implementation details ... ``` -------------------------------- ### List GCP IAM roles by status (Alpha, Beta, GA) Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/README.md These scripts list GCP IAM roles categorized by their release status: Alpha, Beta, or Generally Available (GA). ```bash ./list-alpha/beta/ga-roles.sh ``` -------------------------------- ### Count beta roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Counts the number of roles in the BETA lifecycle stage by piping the output of list-beta-roles.sh to wc -l. ```bash ./list-beta-roles.sh | wc -l ``` -------------------------------- ### Source code for list-beta-roles.sh Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md This script filters all role JSON files for entries with stage 'BETA', extracts their full role identifiers, and outputs them one per line. It sources lib/helper.sh for validation. ```bash #!/usr/bin/env bash source ./lib/helper.sh cat roles/* | jq -r 'select(.stage!=null and .stage=="BETA") | "\(.name)"' ``` -------------------------------- ### Workflow Execution Timeline Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md Illustrates the sequence of steps and estimated durations during a typical GitHub Actions workflow run for managing GCP IAM roles. ```text Scheduled at 00:44 UTC ↓ GitHub Actions runner starts ↓ Checkout repository (10 seconds) ↓ Setup gcloud SDK (30 seconds) ↓ Fetch all roles (5-15 minutes) ↓ Commit and create release (30 seconds) ↓ Workflow complete ``` -------------------------------- ### Pre-cache GCP Permissions for Faster Searching Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Improves permission search performance by pre-caching all permissions into a file. Subsequent searches using grep on this file become instantaneous. ```bash # Slow permission searching # Solution: Pre-cache all permissions ./list-all-permissions.sh > permissions.txt grep "^compute\." permissions.txt # Now instant ``` -------------------------------- ### Export Roles to CAI and Find Most Permissive Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Export all roles to Cloud Asset Inventory (CAI) format and use jq to identify the top 10 most permissive roles based on their permission count. ```bash # Find most permissive roles ./export-all-roles-to-cai.sh | jq ' {name, perm_count: (.includedPermissions|length)} ' | jq -s 'sort_by(.perm_count) | reverse | .[0:10]' # Shows top 10 most permissive roles ``` -------------------------------- ### GitHub Actions Workflow for Fetching Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/GITHUB_ACTIONS_AUTOMATION.md This YAML defines a GitHub Actions workflow that runs on a schedule or manually. It checks out the repository, sets up Google Cloud SDK, configures the GCP project, fetches IAM roles using a script, and then commits and releases changes. ```yaml name: Fetch all roles on: workflow_dispatch: schedule: - cron: "44 */12 * * *" jobs: fetch: runs-on: ubuntu-latest steps: - name: checkout repo uses: actions/checkout@v2 - uses: google-github-actions/setup-gcloud@v0 with: version: 'latest' service_account_key: ${{ secrets.GCP_SA_KEY }} - name: set gcp project run: gcloud config set project darkbit-audit-resources - name: fetch all iam roles run: ./fetch-all-roles.sh - name: commit, tag, and release run: ./.github/commit-and-release.sh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` -------------------------------- ### Export all unique permissions to a file Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Redirects the output of list-all-permissions.sh to a file named all_permissions.txt. ```bash ./list-all-permissions.sh > all_permissions.txt ``` -------------------------------- ### Find Roles Granting Multiple Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Demonstrates how to find GCP IAM roles that grant multiple specific permissions by iterating through a list of permissions and calling `list-roles-with-permission.sh` for each. ```bash # Find roles granting multiple permissions (using a loop) for perm in compute.instances.create compute.instances.delete; do echo "Permission: $perm" ./list-roles-with-permission.sh "$perm" | head -3 done ``` -------------------------------- ### List Generally Available GCP IAM Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Lists all roles in the Generally Available (GA) lifecycle stage. It filters roles by the 'GA' stage and outputs their full identifiers. ```bash #!/usr/bin/env bash source ./lib/helper.sh cat roles/* | jq -r 'select(.stage!=null and .stage=="GA") | "\(.name)"' ``` -------------------------------- ### Count Production-Ready Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Counts the number of generally available (production-ready) GCP IAM roles by piping the output of `list-ga-roles.sh` to `wc -l`. ```bash # Count production-ready roles ./list-ga-roles.sh | wc -l ``` -------------------------------- ### Source Helper Script Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Sources the helper script to validate the repository state. Ensures the 'roles/' directory exists and is populated before proceeding. ```bash #!/usr/bin/env bash mkdir -p roles if [ ! "$(ls -A ./roles)" ]; then echo "Error: The 'roles' directory appears to be empty. Run './fetch-all-roles.sh'" exit 1 fi ``` -------------------------------- ### Source code for list-all-permissions.sh Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md This script concatenates all role JSON files, extracts included permissions, deduplicates them using sort -u, and outputs them in lexicographic order. It sources lib/helper.sh for validation. ```bash #!/usr/bin/env bash source ./lib/helper.sh cat roles/* | jq -r '.includedPermissions[]' | sort -u ``` -------------------------------- ### Export alpha roles to a file Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/SHELL_API_REFERENCE.md Redirects the output of list-alpha-roles.sh to a file named alpha_roles.txt. ```bash ./list-alpha-roles.sh > alpha_roles.txt ``` -------------------------------- ### Find Roles with Resource Creation Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Filters exported roles to identify those granting permissions that include '.create'. Outputs role name and its create permissions. ```bash # Find all roles with resource creation permissions ./export-all-roles-to-cai.sh | jq \ 'select(.includedPermissions | map(select(contains(".create"))) | length > 0) | { name, create_permissions: [.includedPermissions[] | select(contains(".create"))] }' -c | jq -s 'sort_by(.name)' ``` -------------------------------- ### Fetch All GCP IAM Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Fetches all available GCP IAM roles. Ensure the gcloud CLI is configured before running this script. ```bash # Error: "The 'roles' directory appears to be empty" # Solution: ./fetch-all-roles.sh # Requires gcloud CLI configured ``` -------------------------------- ### Compare Permissions Between Two Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md This command compares the permissions of two different roles (e.g., compute.admin and compute.editor) and highlights the permissions present in the first role but not in the second. Useful for understanding role differences and potential privilege creep. ```bash # Compare permissions between two roles diff \ <(./list-permissions-of-role.sh compute.admin | sort) \ <(./list-permissions-of-role.sh compute.editor | sort) | \ grep "^<" | sed 's/^< //' ``` -------------------------------- ### List and Count ALPHA Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md Use these commands to list all ALPHA roles and count their total number. The output typically ranges from 50 to 200 roles. ```bash # List all ALPHA roles ./list-alpha-roles.sh ``` ```bash # Count ALPHA roles ./list-alpha-roles.sh | wc -l ``` -------------------------------- ### List Assets using gcloud CLI Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Query Cloud Asset Inventory for a list of assets of a specific type using the gcloud asset list command. This is useful for verifying imports or retrieving asset information. ```bash # Query exported roles via Cloud Asset API gcloud asset list \ --project=PROJECT_ID \ --asset-types=iam.googleapis.com/ExportedIAMRole # Query specific role gcloud asset list \ --project=PROJECT_ID \ --asset-types=iam.googleapis.com/ExportedIAMRole \ --filter="name:roles/container.admin" ``` -------------------------------- ### List GA Stage Roles Script Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/README.md This script lists all GCP IAM roles that are currently in the General Availability (GA) stage. GA roles are considered stable and production-ready. ```shell #!/bin/bash # List GA stage roles # Usage: ./list-ga-roles.sh # This script is a placeholder. A real implementation would filter roles based on their stage attribute. # Example using gcloud (requires authentication and project context): # gcloud iam roles list --project= --filter='stage=GA' --format='value(name)' ``` -------------------------------- ### Verify Role Stages for Assigned Roles Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md This script reads a list of assigned roles from a file and checks if they are generally available (GA). It warns about any non-GA roles currently in use, which might indicate potential issues or outdated configurations. ```bash # Verify all are GA while read role; do stage=$(./export-all-roles-to-cai.sh | jq "select(.name==\"$role\") | .stage" -r) if [ "$stage" != "GA" ]; then echo "WARNING: Non-GA role in use: $role (stage: $stage)" fi done < current_roles.txt ``` -------------------------------- ### Export All Roles to Cloud Asset Inventory Format Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/CLOUD_ASSET_INVENTORY_INTEGRATION.md Execute this script to export all IAM roles in the Cloud Asset Inventory (CAI) compatible format. Ensure the script is available in your project. ```bash ./export-all-roles-to-cai.sh ``` -------------------------------- ### List All Unique GCP Permissions Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/USAGE_EXAMPLES.md Retrieve a comprehensive list of all available permissions in Google Cloud Platform. This can be used to count total permissions or filter by specific patterns. ```bash # Get all available permissions in GCP ./list-all-permissions.sh # Count total unique permissions ./list-all-permissions.sh | wc -l # Output: 5847 (approximate) # Find permissions matching a pattern ./list-all-permissions.sh | grep "^compute\." # Output: # compute.addresses.create # compute.addresses.delete # compute.addresses.get # ... # Permissions for a specific service ./list-all-permissions.sh | grep "^storage\." ``` -------------------------------- ### Filter Roles by Stage Source: https://github.com/darkbitio/gcp-iam-role-permissions/blob/main/_autodocs/ROLE_LIFECYCLE_STAGES.md These commands demonstrate how to filter and count roles based on their lifecycle stage. They use shell scripts and jq to select and count roles in GA, BETA, ALPHA, and DISABLED stages. ```bash # Show available roles by stage echo "=== GA Roles (Production) ===" ./list-ga-roles.sh | wc -l echo "=== BETA Roles (Testing) ===" ./list-beta-roles.sh | wc -l echo "=== ALPHA Roles (Experimental) ===" ./list-alpha-roles.sh | wc -l echo "=== DISABLED Roles (Deprecated) ===" ./export-all-roles-to-cai.sh | jq 'select(.stage=="DISABLED")' | wc -l ```