GCP – Useful GCLOUD commands for IAM auditing

Here are a few helpful gcloud commands to see important IAM information!

Run these in your cloud shell or from your own machine using Cloud SDK

Just switch <id> with your organization’s id.


All users added to any resource in the organization

This can be used to detect things such as external users added to buckets, users added as administrators to specific resources, etc.

gcloud asset search-all-iam-policies --scope=organizations/<id> | grep user: | sort | uniq

All service accounts added to any resource in the organization

Same as before, but with service accounts.

gcloud asset search-all-iam-policies --scope=organizations/<id> | grep serviceAccount: | sort | uniq

All service accounts added to any resource in the organization (detailed)

This version includes full details about what each specific service account has acccess to.

gcloud asset search-all-iam-policies --scope=organizations/<id> --query='policy : *gserviceaccount*'

All (human) admins inside an organization

This includes every single human that is an editor or an admin for some resource. This command provides detailed information about which admins controls which resources.

gcloud asset search-all-iam-policies --scope=organizations/<id> --query='policy : (roles/*admin* OR roles/*editor*) AND user'