https://github.com/cyclenerd/google-cloud-unused-service-accounts
🤖 Detect unused Service Accounts in Google Cloud Platform
https://github.com/cyclenerd/google-cloud-unused-service-accounts
gcp gcp-iam google-cloud google-cloud-identity google-cloud-platform google-cloud-security
Last synced: about 1 month ago
JSON representation
🤖 Detect unused Service Accounts in Google Cloud Platform
- Host: GitHub
- URL: https://github.com/cyclenerd/google-cloud-unused-service-accounts
- Owner: Cyclenerd
- License: apache-2.0
- Created: 2023-04-06T12:36:00.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2023-12-22T13:11:32.000Z (over 1 year ago)
- Last Synced: 2025-02-13T09:17:46.220Z (3 months ago)
- Topics: gcp, gcp-iam, google-cloud, google-cloud-identity, google-cloud-platform, google-cloud-security
- Language: Shell
- Homepage:
- Size: 21.5 KB
- Stars: 1
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# Detect unused Service Accounts
[](#readme)
[](#readme)
[](#readme)
[](#readme)
[](https://github.com/Cyclenerd/google-cloud-unused-service-accounts/actions/workflows/ci.yml)
[](https://github.com/Cyclenerd/google-cloud-unused-service-accounts/blob/master/LICENSE)
Collection of Bash and Perl scripts that work together with the
Google Cloud Platform [Policy Analyzer](https://cloud.google.com/policy-intelligence/docs/policy-analyzer-overview)
to detect unused Service Accounts (SA) or Service Account Keys (SAK)
in large Google Cloud organizations with many projects.
Tested and used within Google Cloud organizations of [DAX](https://en.wikipedia.org/wiki/DAX) companies.
## Requirement
A Bash shell, Perl, SQLite and a few other tools that are included in many standard GNU/Linux distributions.
In addition, you need the Google Cloud CLI `gcloud` which is very easy to install.
[](https://shell.cloud.google.com/cloudshell/open?shellonly=true&ephemeral=false&cloudshell_git_repo=https://github.com/Cyclenerd/google-cloud-unused-service-accounts&cloudshell_git_branch=master&cloudshell_tutorial=README.md)
[](https://gitpod.io/#https://github.com/Cyclenerd/google-cloud-unused-service-accounts)
Linux (Debian/Ubuntu/Cloud Shell)
Install these packages with dependencies:
```shell
sudo apt install \
libjson-xs-perl \
libdbd-sqlite3-perl
```
Install Google Cloud CLI `gcloud` following these instructions:
macOS (Brew)
Install these [Homebrew](https://brew.sh/) packages with dependencies:
```shell
brew install perl
brew install cpanminus pkg-config
brew install sqlite3
brew install --cask google-cloud-sdk
```
Install Perl modules with cpanminus:
```shell
cpanm --installdeps .
```
Install Google Cloud CLI `gcloud` following these instructions:
Windows (Cygwin)
Install these [Cygwin](https://www.cygwin.com/) packages:
* perl
* perl-DBD-SQLite
* perl-JSON-XS
* sqlite3
* python3
Install Google Cloud CLI `gcloud` following these instructions:
## Usage
1. **Create list with projects:**
```shell
bash 1_projects.sh
```
All projects to which the user has access are saved to `projects.csv`.
The CSV list can be adjusted manually.
These projects will be used in the next steps.
1. **Enable "Policy Analyzer" API:**
```shell
bash 2_enable-api.sh
```
1. **Get SA and SAK authentications:**
```shell
bash 3_get.sh
```
1. **Create overview for evaluation:**
```shell
bash 4_query.sh
```
CSV export `auth.csv` is created.
You can import this file into your favorite spreadsheet program.
A few evaluation tips:
Service account keys could pose a security risk if compromised.
More than one user managed key (CSV column: `userManaged`) is not a good idea.
## License
All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.