Update 2023/09/13: GCP has updated how some of the filters work. Some of these commands may not work anymore.
Here are a few helpful gcloud commands to see important IAM information!
Run these in your cloud shell or from your own machine using Cloud SDK
Just switch <id> with your organization’s id and <[email protected]> with the full e-mail of a specific user.
All permissions a specific user has across the entire organization
This can be used to show all the permissions a specific user has across your organization – that is, all projects, all services and all objects.
gcloud asset search-all-iam-policies --scope=organizations/<id> --query="policy:<[email protected]>"All users added to any resource in the organization
This can be used to detect things such as external users added to buckets, users added as administrators to specific resources, etc.
gcloud asset search-all-iam-policies --scope=organizations/<id> | grep user: | sort | uniqAll service accounts added to any resource in the organization
Same as before, but with service accounts.
gcloud asset search-all-iam-policies --scope=organizations/<id> | grep serviceAccount: | sort | uniqAll service accounts added to any resource in the organization (detailed)
This version includes full details about what each specific service account has acccess to.
gcloud asset search-all-iam-policies --scope=organizations/<id> --query='policy : *gserviceaccount*'All (human) admins inside an organization
This includes every single human that is an editor or an admin for some resource. This command provides detailed information about which admins controls which resources.
gcloud asset search-all-iam-policies --scope=organizations/<id> --query='roles:(Editor OR Admin) memberTypes:user'