GCP - gcloud commands to retrieve admin roles and member info - security

for risk control reasons we need to have scripts to get information of all admin roles, and people who are members of those admin roles. Note, I am specifically talking about "admin roles" (built in and custom) e.g. super admin, not the standard roles that are granted to people within a project, etc. I have not found a gcloud command that will provide this info. Additionally, I don't want to run this script as super admin - I can create a custom role, but could not determine the privileges this roles would need to get read-only access to this information.
If there is another non gcloud script way of doing this, I am open to it, but gcloud would be the easiest to get working I think.
Any help would be highly appreciated.
Fas
Reviewed documentation for gcloud but not luck

There is no command that will meet your requirements. You will need to write a custom program.
You must parse the policy bindings for both the project and each resource that supports IAM bindings. Then there are inherited permissions from the ORG and Folder levels. This can quickly get complicated and will require a solid understanding of authorization control in Google Cloud.
Each Google Cloud Resource has its own set of permissions. You must create a list of each admin-level IAM role and parse each custom role to determine if they have your definition of admin-level permissions.
A common mistake is that only the project IAM bindings are checked. Many resources support IAM bindings, which are authorization backdoors if managed incorrectly.
Start by reviewing this page to see the list of IAM roles and permissions:
IAM basic and predefined roles reference

You can use gcloud command with get-iam-policy :
gcloud projects get-iam-policy ${project_id} \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role=roles/owner"
The filter argument allows to filter on a needed field, I used bindings.role=roles/owner in this example.
flatten and format arguments allows to recover members.
This command allows displaying the members having the roles/owner.
You can list the expected roles for which you want to retrieve the members :
#!/bin/bash
declare -a StringArray=("roles/owner" "roles/my_custom_role" )
# Iterate over roles
for role in ${StringArray[#]}; do
gcloud projects get-iam-policy ${project_id} \
--flatten="bindings[].members" \
--format="table(bindings.members)" \
--filter="bindings.role=${role}"
done

Related

Difference between google_project_iam_binding and google_project_iam_member

Hi terraform mates out there
I want to automate the role assignments process for service accounts and users on the Google Cloud Platform. I am actually thinking of creating IAM custom roles to get fine-grained roles terraform resources for different services, and assign that role to the users or service account I want to.
Checking the way to associate which members will get what roles, I am actually wondering what is the difference between use google_project_iam_binding and use google_project_iam_member resources.
My current understanding could fall on in using google_project_iam_binding to grant roles to service accounts and google_project_iam_member to user accounts, but I am not sure since in the documentation they use both to associate user accounts.
I also found this interesting article https://binx.io/nl/2021/12/16/how-to-name-your-google-project-iam-resources-in-terraform/
As you know, Google IAM resources in Terraform come in three flavors:
google_project_iam_policy to define a complete policy for the project.
google_project_iam_binding to define all the members of a single role.
google_project_iam_member to define a single role binding for a single principal.
I didn't know the previous sentence and I would like to deep dive in the way I can use policies, and IAM roles in a better way for my purpose.
As the documentation states:
google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other
roles within the IAM policy for the project are preserved.
google_project_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for
the project are preserved.
This means that google_project_iam_binding will grant a role to a list of members, and revokes it from any other member.
So if your project had two users e.g: jane#example.com and joe#example.com who both have roles/editor on the project. Running the following Terraform snippet will revoke roles/editor from joe#example.com as it's not present in the member list of google_project_iam_binding
resource "google_project_iam_binding" "project" {
project = "your-project-id"
role = "roles/editor"
members = [
"user:jane#example.com",
]
}
However, if you have for example jane#example.com and joe#example.com who both have roles/editor on the project. If you want to add a new editor (somone#example.com) without affecting the other roles/users, you can use google_project_iam_member
resource "google_project_iam_member" "project" {
project = "your-project-id"
role = "roles/editor"
member = "user:someone#example.com"
}
Notes from the documentation:
google_project_iam_policy cannot be used in conjunction with
google_project_iam_binding, google_project_iam_member, or
google_project_iam_audit_config or they will fight over what your
policy should be.
google_project_iam_binding resources can be used in conjunction with
google_project_iam_member resources only if they do not grant
privilege to the same role.
See:
Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
https://discuss.hashicorp.com/t/difference-between-google-project-iam-binding-and-google-project-iam-member/49645/2
https://github.com/hashicorp/terraform-provider-google/issues/8354

What rights or permissiones does a user need to be able to run certain powershell commands in azure?

Iam trying to determine the minimum user rights , roles I can assign a user just so they can pull information from Azure AD, etc.
Currently the commands I am looking into are : Get-AzureADDevice , Get-AzureADUser, Get-MsolDevice.
All documentation I find just lists uses, examples etc. but not rights and I am currently unable to test out a case by case from normal user up to admin to find which rights are required.
Assigned the Global Reader role to the user and tested one of the given commands (Get-AzureADUser) in the Question.
Tried to update the user but not possible due to the role permission restrictions.
Note: Global Reader - Can read everything that a Global Administrator can, but not update anything.
Updated Answer:
Assigned the Directory Reader Role to the user and checked the workflow, able to get the information but not successful to update or do management work like updating/modifying the information using Azure Active Directory PowerShell Commands:
Workaround Result:
Note: Directory Reader Role - Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Depending on your requirement, you can choose any of the above RBAC for the user.

New-AzureADServiceAppRoleAssignment throws Error when use it without Global Admin account

I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access.
Error: Service_InternalServerError. as shown in below image.
Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?
Any help or suggestions will be highly appreciated !
Thanks
Assign the Cloud Application Administrator directory role to the affected user and try again.
the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions.
you need
"Microsoft.Authorization/roleAssignments/"
and maybe
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleDefinitions/"
However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.

Google Cloud Scheduler Access

I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.

Azure Active Directory Object Permissions

I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/

Resources