Compares and analyzes GCP IAM roles.

Overview

gcp-iam-analyzer

I wrote this to help in my day to day working in GCP. A lot of the time I am doing role comparisons to see which role has more permissions, what the differences are, etc.

Features

Compares and analyzes GCP IAM roles. Currently supports 2 role comparisons to find:

  • The differences between the two.
  • Which permissions the two roles share.
  • Lists permissions for a given role or list of roles. (supports 1 + N roles)
  • Can output differences and shared permissions in the same flow.

In order to determine what permissions a role has we need some type of role -> permission lookup. Luckily, I already have that via a different project gcp_iam_update_bot which keeps an up to date list of ALL GCP IAM roles and their permissions (refreshes every 12 hours).

Before any role analysis takes place the script will look for the roles/ directory and prompt you to download it if it does not exist:

./gcp-iam-analyzer.py -d vpcaccess.admin vpcaccess.viewer
ERROR:"roles" folder does not exist. This is required for analysis.
Do you want to download the "roles" folder now? y/n

Otherwise you can always re-update your local roles database via ./gcp-iam-analyzer.py -r.

Execution:

./gcp-iam-analyzer.py --help
usage: gcp-iam-analyzer.py [-h] [-d ROLES [ROLES ...]] [-s ROLES [ROLES ...]] [-a ROLES [ROLES ...]] [-l ROLES [ROLES ...]] [-r]

Compares GCP IAM roles and outputs analysis.

optional arguments:
  -h, --help            show this help message and exit
  -d ROLES [ROLES ...], --diff ROLES [ROLES ...]
                        Compares roles and outputs the permissions difference.
  -s ROLES [ROLES ...], --shared ROLES [ROLES ...]
                        Compares roles and outputs the shared permissions.
  -a ROLES [ROLES ...], --all ROLES [ROLES ...]
                        Compares roles and outputs the differences and the shared permissins.
  -l ROLES [ROLES ...], --list ROLES [ROLES ...]
                        Lists permissions for role(s).
  -r, --refresh         Refreshes the local "roles" folder.

Example

Let's say we have a user in GCP that has the vpcaccess.admin role and you want to find out how many permissions they would "lose" if they were assigned the vpcaccess.viewer role.

./gcp-iam-analyzer.py -d vpcaccess.viewer vpcaccess.admin

Role "vpcaccess.viewer" differences:
'N/A'
Role "vpcaccess.admin" differences:
'vpcaccess.connectors.delete'
'vpcaccess.connectors.create'
'vpcaccess.connectors.use'

The above output shows that by assigning the vpcaccess.viewer role and removing the vpcaccess.admin role the user would lose:

'vpcaccess.connectors.create',
'vpcaccess.connectors.delete',
'vpcaccess.connectors.use'

Feedback

Feel free to open an issue if you encounter a bug or reach out via twitter @jasonadyke

You might also like...
Discord bot that manages expiration of roles with subscriptions!

Discord bot that manages expiration of roles with subscriptions!

This Server Cloner can clone the server you want with all the perms of roles in every particular channel.

Server-Cloner-with-perms 🚀 This Server Cloner can clone the server you want with all the perms of roles in every particular channel. Features Clone C

CDIoU and CDIoU loss is like a convenient plug-in that can be used in multiple models. CDIoU and CDIoU loss have different excellent performances in several models such as Faster R-CNN, YOLOv4, RetinaNet and . There is a maximum AP improvement of 1.9% and an average AP of 0.8% improvement on MS COCO dataset, compared to traditional evaluation-feedback modules. Here we just use as an example to illustrate the code. Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. Backtest 1000s of minute-by-minute trading algorithms for training AI with automated pricing data from: IEX, Tradier and FinViz. Datasets and trading performance automatically published to S3 for building AI training datasets for teaching DNNs how to trade. Runs on Kubernetes and docker-compose. >150 million trading history rows generated from +5000 algorithms. Heads up: Yahoo's Finance API was disabled on 2019-01-03 https://developer.yahoo.com/yql/ The algorithm performs a simple user registration (Name, CPF, E-mail and Telephone) in an Amazon RDS database and also performs the storage, training and facial recognition of the user's face to identify the users already registered in the system in a next time the user is seen. Tools for use in DeFi. Impermanent Loss calculations, staking and farming strategies, coingecko and pancakeswap API queries, liquidity pools and more
Tools for use in DeFi. Impermanent Loss calculations, staking and farming strategies, coingecko and pancakeswap API queries, liquidity pools and more

DeFi open source tools Get Started Instalation General Tools Impermanent Loss, simple calculation Compare Buy & Hold with Staking and Farming Complete

A Pancakeswap and Uniswap trading client (and bot) with limit orders, marker orders, stop-loss, custom gas strategies, a GUI and much more.
A Pancakeswap and Uniswap trading client (and bot) with limit orders, marker orders, stop-loss, custom gas strategies, a GUI and much more.

Pancakeswap and Uniswap trading client Adam A A Pancakeswap and Uniswap trading client (and bot) with market orders, limit orders, stop-loss, custom g

Comments
  • Multi permission lookup

    Multi permission lookup

    Can now handle N +1 permission lookups via 2 formats:

    • permission, permission
    • permission permission

    For the 2 permissions accessapproval.settings.delete accessapproval.serviceAccounts.get the output will look like:

     # The roles with the "accessapproval.settings.delete" permission are: 
    
    'accessapproval.configEditor'
    'owner'
    
     # The roles with the "accessapproval.serviceAccounts.get" permission are: 
    
    'accessapproval.invalidator'
    'accessapproval.configEditor'
    'owner'
    'accessapproval.viewer'
    'viewer'
    'accessapproval.approver'
    'editor'
    
    opened by jdyke 0
  • September Improvements

    September Improvements

    This PR adds:

    • Better printing formats (spacing, line breaks, removing []
    • Properly handles bad role lookups (previously ugly failed)
    • README.md updates
    • Better error handling for edge cases
    • Permission input validation

    This PR also adds new functionality for permissions lookup. Now you can pass in -p "permission" and it will find all known roles with that permission. For example:

    ./gcp-iam-analyzer.py -p workloadmanager.evaluations.get
    
    # The roles with the "workloadmanager.evaluations.get" permission are:
    
    'workloadmanager.worker'
    'owner'
    'workloadmanager.viewer'
    'workloadmanager.admin'
    'viewer'
    'editor'
    
    Screen Shot 2022-09-25 at 1 11 00 PM
    opened by jdyke 0
  • fixes refresh flow

    fixes refresh flow

    We weren't letting the user know the database was refreshed and instead went right to an error saying no argument was supplied. The database is refreshed, and an argument like -d -s etc. is required, but we should gracefully handle a scenario where someone only wants to update the roles DB and do nothing else.

    opened by jdyke 0
  • List perms

    List perms

    This PR adds the --list functionality which will return / display all permissions for a given role. Example usage:

    ./gcp-iam-analyzer.py -l tpu.xpnAgent
    # The permissions for tpu.xpnAgent are:
    ['compute.addresses.use',
     'compute.firewalls.create',
     'compute.firewalls.delete',
     'compute.firewalls.get',
     'compute.firewalls.update',
     'compute.globalOperations.get',
     'compute.networks.get',
     'compute.networks.list',
     'compute.networks.updatePolicy',
     'compute.networks.use',
     'compute.networks.useExternalIp',
     'compute.routes.list',
     'compute.subnetworks.get',
     'compute.subnetworks.list',
     'compute.subnetworks.use',
     'compute.subnetworks.useExternalIp',
     'compute.zoneOperations.get']
    
    opened by jdyke 0
Owner
Jason Dyke
twitter: @jasonadyke
Jason Dyke
Create a roles overview page for all Ansible roles/playbooks in Gitlab

ansible-create-roles-overview Overview The script ./create_roles_overview.py queries a Gitlab API for Ansible roles and playbooks. It will iterate ove

null 2 Oct 11, 2021
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

✅ Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

Victor GRENU 41 Dec 12, 2022
It's a simple python script to take backup of directories (compressing) then the same to move your mentioned S3 bucket with the help of AWS IAM User.

Directory Backup Moved to S3 (Pyscript) Description Here it's a python script that needs to use this script simply create a directory backup and moved

Yousaf K Hamza 3 Mar 4, 2022
Discord Bot for server hosts, devs, and admins. Analyzes timings reports & uploads text files to hastebin. Developed by https://birdflop.com.

"Botflop" Click here to invite Botflop to your server. Current abilities Analyze timings reports Paste a timings report to review an in-depth descript

Purpur 76 Dec 31, 2022
Create a Neo4J graph of users and roles trust policies within an AWS Organization.

AWS_ORG_MAPPER This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and ro

Ruse 24 Jul 28, 2022
A Discord BOT that uses Google Sheets for storing the roles and permissions of a discord server.

Discord Role Manager Bot Role Manager is a discord BOT that utilizes Google Sheets for the organization of a server's hierarchy and permissions. Detai

Dion Rigatos 17 Oct 13, 2022
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
A minimalistic, modern Discord bot for roles and polls using dropdowns

DropBot A minimalistic, modern Discord bot for roles and polls using dropdowns Made by ThatOneCalculator Technologies used Instructions Type /, and na

ModernBots 1 Jun 27, 2022
Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

null 1 Dec 29, 2021
A discord bot written in discord.py to manage custom roles assigned to boosters of your server.

BBotty A discord bot written in discord.py to manage custom roles assigned to boosters of your server. v0.0.1-alpha released! This version is incomple

Oui002 1 Nov 27, 2021