https://github.com/zefdelgadillo/policy-parser
🕵️♂️ Google Cloud IAM policy document parser
https://github.com/zefdelgadillo/policy-parser
google google-cloud iam
Last synced: 7 months ago
JSON representation
🕵️♂️ Google Cloud IAM policy document parser
- Host: GitHub
- URL: https://github.com/zefdelgadillo/policy-parser
- Owner: zefdelgadillo
- License: mit
- Created: 2022-04-12T21:23:27.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2022-04-19T01:11:57.000Z (almost 4 years ago)
- Last Synced: 2025-02-12T19:19:28.652Z (about 1 year ago)
- Topics: google, google-cloud, iam
- Language: Python
- Homepage:
- Size: 16.6 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# Policy Parser
Easily parse and filter yaml or json-based Google Cloud Platform (GCP) IAM policy documents.
```bash
$ gcloud projects get-iam-policy my-project | pparse -o table
principal_type principal role
---------------- --------------------------------------------------------------------------- ------------------------------------
serviceAccount 555555555555@cloudbuild.gserviceaccount.com roles/cloudbuild.builds.builder
group tech-dev-team@company.com roles/cloudbuild.builds.editor
serviceAccount service-555555555555@gcp-sa-cloudbuild.iam.gserviceaccount.com roles/cloudbuild.serviceAgent
serviceAccount service-555555555555@gcp-sa-computescanning.iam.gserviceaccount.com roles/computescanning.serviceAgent
group tech-dev-managers@company.com roles/owner
user annbaker@company.com roles/storage.admin
user louiefranco@company.com roles/storage.admin
user annbaker@company.com roles/storage.objectAdmin
user louiefranco@company.com roles/storage.objectAdmin
group tech-all@company.com roles/viewer
group tech-dev-team@company.com roles/viewer
```
## Installation
```
# Requires Python >= 3.8
pip install pparse
```
## Usage
### Parse
Pass in a policy document into `pparse` directly from gcloud and select an output format using `--output-format`.
```bash
$ gcloud projects get-iam-policy my-project | pparse --output-format csv
```
* csv
* table
* json
* yaml
### Filters
You can filter policy documents by using one of the following commands. Use the `-s` flag to return a simple list of users or roles.
#### Filter by User Principal: `pparse principal`
```bash
$ gcloud ... | pparse principal louiefranco@company.com -s
roles/owner
roles/storage.admin
roles/storage.objectAdmin
```
#### Filter by Role `pparse role`
```bash
$ gcloud ... | pparse role roles/owner -s
group:tech-code-guidance@company.com
group:tech-dev-managers@company.com
user:annbaker@company.com
user:jimmyjohn@company.com
user:louiefranco@company.com
user:rhondaseltzer@company.com
```
#### Filter by Domain `pparse domain`
```bash
$ gcloud ... | pparse domain company.com
bindings:
- members:
- group:tech-dev-team@company.com
role: roles/cloudbuild.builds.editor
- members:
- group:tech-code-guidance@company.com
- group:tech-dev-managers@company.com
- user:annbaker@company.com
- user:jimmyjohn@company.com
- user:louiefranco@company.com
- user:rhondaseltzer@company.com
role: roles/owner
```
#### Filter by Principal Type `pparse type`
```bash
$ gcloud ... | pparse -o csv type serviceaccount
principal_type,principal,role
serviceAccount,555555555555@cloudbuild.gserviceaccount.com,roles/cloudbuild.builds.builder
serviceAccount,service-555555555555@gcp-sa-cloudbuild.iam.gserviceaccount.com,roles/cloudbuild.serviceAgent
serviceAccount,service-555555555555@compute-system.iam.gserviceaccount.com,roles/compute.serviceAgent
serviceAccount,service-555555555555@gcp-sa-computescanning.iam.gserviceaccount.com,roles/computescanning.serviceAgent
serviceAccount,service-555555555555@container-engine-robot.iam.gserviceaccount.com,roles/container.serviceAgent
```
#### Filter by Permission `pparse permission`
```bash
$ gcloud ... | pparse -o table permission storage.objects.get
principal_type principal role
---------------- --------------------------------------------------------------------------- ------------------------------------
serviceAccount 555555555555@cloudbuild.gserviceaccount.com roles/cloudbuild.builds.builder
serviceAccount service-555555555555@gcp-sa-cloudbuild.iam.gserviceaccount.com roles/cloudbuild.serviceAgent
serviceAccount service-555555555555@container-analysis.iam.gserviceaccount.com roles/containeranalysis.ServiceAgent
serviceAccount service-555555555555@dataflow-service-producer-prod.iam.gserviceaccount.com roles/dataflow.serviceAgent
serviceAccount service-555555555555@gcp-sa-datamigration.iam.gserviceaccount.com roles/datamigration.serviceAgent
serviceAccount service-555555555555@firebase-rules.iam.gserviceaccount.com roles/firebaserules.system
serviceAccount service-555555555555@gcp-sa-firestore.iam.gserviceaccount.com roles/firestore.serviceAgent
user annbaker@company.com roles/storage.admin
user louiefranco@company.com roles/storage.admin
user annbaker@company.com roles/storage.objectAdmin
user louiefranco@company.com roles/storage.objectAdmin
```