Compares and analyzes GCP IAM roles.

Last update: Dec 28, 2022

Overview

gcp-iam-analyzer

I wrote this to help in my day to day working in GCP. A lot of the time I am doing role comparisons to see which role has more permissions, what the differences are, etc.

Features

Compares and analyzes GCP IAM roles. Currently supports 2 role comparisons to find:

The differences between the two.
Which permissions the two roles share.
Lists permissions for a given role or list of roles. (supports 1 + N roles)
Can output differences and shared permissions in the same flow.

In order to determine what permissions a role has we need some type of role -> permission lookup. Luckily, I already have that via a different project gcp_iam_update_bot which keeps an up to date list of ALL GCP IAM roles and their permissions (refreshes every 12 hours).

Before any role analysis takes place the script will look for the roles/ directory and prompt you to download it if it does not exist:

./gcp-iam-analyzer.py -d vpcaccess.admin vpcaccess.viewer
ERROR:"roles" folder does not exist. This is required for analysis.
Do you want to download the "roles" folder now? y/n

Otherwise you can always re-update your local roles database via ./gcp-iam-analyzer.py -r.

Execution:

./gcp-iam-analyzer.py --help
usage: gcp-iam-analyzer.py [-h] [-d ROLES [ROLES ...]] [-s ROLES [ROLES ...]] [-a ROLES [ROLES ...]] [-l ROLES [ROLES ...]] [-r]

Compares GCP IAM roles and outputs analysis.

optional arguments:
  -h, --help            show this help message and exit
  -d ROLES [ROLES ...], --diff ROLES [ROLES ...]
                        Compares roles and outputs the permissions difference.
  -s ROLES [ROLES ...], --shared ROLES [ROLES ...]
                        Compares roles and outputs the shared permissions.
  -a ROLES [ROLES ...], --all ROLES [ROLES ...]
                        Compares roles and outputs the differences and the shared permissins.
  -l ROLES [ROLES ...], --list ROLES [ROLES ...]
                        Lists permissions for role(s).
  -r, --refresh         Refreshes the local "roles" folder.

Example

Let's say we have a user in GCP that has the vpcaccess.admin role and you want to find out how many permissions they would "lose" if they were assigned the vpcaccess.viewer role.

./gcp-iam-analyzer.py -d vpcaccess.viewer vpcaccess.admin

Role "vpcaccess.viewer" differences:
'N/A'
Role "vpcaccess.admin" differences:
'vpcaccess.connectors.delete'
'vpcaccess.connectors.create'
'vpcaccess.connectors.use'

The above output shows that by assigning the vpcaccess.viewer role and removing the vpcaccess.admin role the user would lose:

'vpcaccess.connectors.create',
'vpcaccess.connectors.delete',
'vpcaccess.connectors.use'

Feedback

Feel free to open an issue if you encounter a bug or reach out via twitter @jasonadyke

Discord bot that manages expiration of roles with subscriptions!

3 Apr 28, 2022

This Server Cloner can clone the server you want with all the perms of roles in every particular channel.

Server-Cloner-with-perms 🚀 This Server Cloner can clone the server you want with all the perms of roles in every particular channel. Features Clone C

0 Feb 17, 2022

CDIoU and CDIoU loss is like a convenient plug-in that can be used in multiple models. CDIoU and CDIoU loss have different excellent performances in several models such as Faster R-CNN, YOLOv4, RetinaNet and . There is a maximum AP improvement of 1.9% and an average AP of 0.8% improvement on MS COCO dataset, compared to traditional evaluation-feedback modules. Here we just use as an example to illustrate the code.

CDIoU-CDIoUloss CDIoU and CDIoU loss is like a convenient plug-in that can be used in multiple models. CDIoU and CDIoU loss have different excellent p

24 Jul 19, 2022

Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon.

aggrokatz What is this aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely. The

148 Dec 9, 2022

Backtest 1000s of minute-by-minute trading algorithms for training AI with automated pricing data from: IEX, Tradier and FinViz. Datasets and trading performance automatically published to S3 for building AI training datasets for teaching DNNs how to trade. Runs on Kubernetes and docker-compose. 150 million trading history rows generated from +5000 algorithms. Heads up: Yahoo's Finance API was disabled on 2019-01-03 https://developer.yahoo.com/yql/

Stock Analysis Engine Build and tune investment algorithms for use with artificial intelligence (deep neural networks) with a distributed stack for ru

828 Dec 28, 2022

The algorithm performs a simple user registration (Name, CPF, E-mail and Telephone) in an Amazon RDS database and also performs the storage, training and facial recognition of the user's face to identify the users already registered in the system in a next time the user is seen.

Registration form with RDS AWS database and facial recognition via OpenCV The algorithm performs a simple user registration (Name, CPF, E-mail and Tel

59 Nov 27, 2022

Tools for use in DeFi. Impermanent Loss calculations, staking and farming strategies, coingecko and pancakeswap API queries, liquidity pools and more

DeFi open source tools Get Started Instalation General Tools Impermanent Loss, simple calculation Compare Buy & Hold with Staking and Farming Complete

467 Jan 8, 2023

A Pancakeswap and Uniswap trading client (and bot) with limit orders, marker orders, stop-loss, custom gas strategies, a GUI and much more.

Pancakeswap and Uniswap trading client Adam A A Pancakeswap and Uniswap trading client (and bot) with market orders, limit orders, stop-loss, custom g

570 Mar 9, 2022

This Binance trading bot detects new coins as soon as they are listed on the Binance exchange and automatically places sell and buy orders. It comes with trailing stop loss and other features. If you like this project please consider donating via Brave.

binance-trading-bot-new-coins This Binance trading bot detects new coins as soon as they are listed on the Binance exchange and automatically places s

1.4k Dec 24, 2022

Comments

Multi permission lookup

Can now handle N +1 permission lookups via 2 formats:

permission, permission
permission permission

For the 2 permissions accessapproval.settings.delete accessapproval.serviceAccounts.get the output will look like:

 # The roles with the "accessapproval.settings.delete" permission are: 

'accessapproval.configEditor'
'owner'

 # The roles with the "accessapproval.serviceAccounts.get" permission are: 

'accessapproval.invalidator'
'accessapproval.configEditor'
'owner'
'accessapproval.viewer'
'viewer'
'accessapproval.approver'
'editor'

opened by jdyke 0

September Improvements
This PR adds:

Better printing formats (spacing, line breaks, removing []

Properly handles bad role lookups (previously ugly failed)

README.md updates

Better error handling for edge cases

Permission input validation

This PR also adds new functionality for permissions lookup. Now you can pass in -p "permission" and it will find all known roles with that permission. For example:

./gcp-iam-analyzer.py -p workloadmanager.evaluations.get # The roles with the "workloadmanager.evaluations.get" permission are: 'workloadmanager.worker' 'owner' 'workloadmanager.viewer' 'workloadmanager.admin' 'viewer' 'editor'
opened by jdyke 0
fixes refresh flow

We weren't letting the user know the database was refreshed and instead went right to an error saying no argument was supplied. The database is refreshed, and an argument like -d -s etc. is required, but we should gracefully handle a scenario where someone only wants to update the roles DB and do nothing else.

opened by jdyke 0

List perms

This PR adds the --list functionality which will return / display all permissions for a given role. Example usage:

./gcp-iam-analyzer.py -l tpu.xpnAgent
# The permissions for tpu.xpnAgent are:
['compute.addresses.use',
 'compute.firewalls.create',
 'compute.firewalls.delete',
 'compute.firewalls.get',
 'compute.firewalls.update',
 'compute.globalOperations.get',
 'compute.networks.get',
 'compute.networks.list',
 'compute.networks.updatePolicy',
 'compute.networks.use',
 'compute.networks.useExternalIp',
 'compute.routes.list',
 'compute.subnetworks.get',
 'compute.subnetworks.list',
 'compute.subnetworks.use',
 'compute.subnetworks.useExternalIp',
 'compute.zoneOperations.get']

opened by jdyke 0

Owner

Jason Dyke

twitter: @jasonadyke

GitHub

Create a roles overview page for all Ansible roles/playbooks in Gitlab

ansible-create-roles-overview Overview The script ./create_roles_overview.py queries a Gitlab API for Ansible roles and playbooks. It will iterate ove

2 Oct 11, 2021

Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

✅ Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

41 Dec 12, 2022

It's a simple python script to take backup of directories (compressing) then the same to move your mentioned S3 bucket with the help of AWS IAM User.

Directory Backup Moved to S3 (Pyscript) Description Here it's a python script that needs to use this script simply create a directory backup and moved

3 Mar 4, 2022

Discord Bot for server hosts, devs, and admins. Analyzes timings reports & uploads text files to hastebin. Developed by https://birdflop.com.

"Botflop" Click here to invite Botflop to your server. Current abilities Analyze timings reports Paste a timings report to review an in-depth descript

76 Dec 31, 2022

Compares and analyzes GCP IAM roles.

Related tags