GCP – Useful GCLOUD commands for IAM auditing

Update 2023/09/13: GCP has updated how some of the filters work. Some of these commands may not work anymore.

Here are a few helpful gcloud commands to see important IAM information!

Run these in your cloud shell or from your own machine using Cloud SDK

Just switch <id> with your organization’s id and <[email protected]> with the full e-mail of a specific user.


All permissions a specific user has across the entire organization

This can be used to show all the permissions a specific user has across your organization – that is, all projects, all services and all objects.

gcloud asset search-all-iam-policies --scope=organizations/<id> --query="policy:<[email protected]>"

All users added to any resource in the organization

This can be used to detect things such as external users added to buckets, users added as administrators to specific resources, etc.

gcloud asset search-all-iam-policies --scope=organizations/<id> | grep user: | sort | uniq

All service accounts added to any resource in the organization

Same as before, but with service accounts.

gcloud asset search-all-iam-policies --scope=organizations/<id> | grep serviceAccount: | sort | uniq

All service accounts added to any resource in the organization (detailed)

This version includes full details about what each specific service account has acccess to.

gcloud asset search-all-iam-policies --scope=organizations/<id> --query='policy : *gserviceaccount*'

All (human) admins inside an organization

This includes every single human that is an editor or an admin for some resource. This command provides detailed information about which admins controls which resources.

gcloud asset search-all-iam-policies --scope=organizations/<id> --query='roles:(Editor OR Admin) memberTypes:user'

Views: 60

Leave a Reply

Your email address will not be published. Required fields are marked *