Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/zefdelgadillo/policy-parser
🕵️♂️ Google Cloud IAM policy document parser
https://github.com/zefdelgadillo/policy-parser
google google-cloud iam
Last synced: about 2 months ago
JSON representation
🕵️♂️ Google Cloud IAM policy document parser
- Host: GitHub
- URL: https://github.com/zefdelgadillo/policy-parser
- Owner: zefdelgadillo
- License: mit
- Created: 2022-04-12T21:23:27.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-04-19T01:11:57.000Z (over 2 years ago)
- Last Synced: 2024-10-08T09:32:52.358Z (3 months ago)
- Topics: google, google-cloud, iam
- Language: Python
- Homepage:
- Size: 16.6 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
README
# Policy Parser
Easily parse and filter yaml or json-based Google Cloud Platform (GCP) IAM policy documents.
```bash
$ gcloud projects get-iam-policy my-project | pparse -o table
principal_type principal role
---------------- --------------------------------------------------------------------------- ------------------------------------
serviceAccount [email protected] roles/cloudbuild.builds.builder
group [email protected] roles/cloudbuild.builds.editor
serviceAccount [email protected] roles/cloudbuild.serviceAgent
serviceAccount service-555555555555@gcp-sa-computescanning.iam.gserviceaccount.com roles/computescanning.serviceAgent
group [email protected] roles/owner
user [email protected] roles/storage.admin
user [email protected] roles/storage.admin
user [email protected] roles/storage.objectAdmin
user [email protected] roles/storage.objectAdmin
group [email protected] roles/viewer
group [email protected] roles/viewer
```
## Installation
```
# Requires Python >= 3.8
pip install pparse
```
## Usage
### Parse
Pass in a policy document into `pparse` directly from gcloud and select an output format using `--output-format`.
```bash
$ gcloud projects get-iam-policy my-project | pparse --output-format csv
```
* csv
* table
* json
* yaml
### Filters
You can filter policy documents by using one of the following commands. Use the `-s` flag to return a simple list of users or roles.
#### Filter by User Principal: `pparse principal`
```bash
$ gcloud ... | pparse principal [email protected] -s
roles/owner
roles/storage.admin
roles/storage.objectAdmin
```
#### Filter by Role `pparse role`
```bash
$ gcloud ... | pparse role roles/owner -s
group:[email protected]
group:[email protected]
user:[email protected]
user:[email protected]
user:[email protected]
user:[email protected]
```
#### Filter by Domain `pparse domain`
```bash
$ gcloud ... | pparse domain company.com
bindings:
- members:
- group:[email protected]
role: roles/cloudbuild.builds.editor
- members:
- group:[email protected]
- group:[email protected]
- user:[email protected]
- user:[email protected]
- user:[email protected]
- user:[email protected]
role: roles/owner
```
#### Filter by Principal Type `pparse type`
```bash
$ gcloud ... | pparse -o csv type serviceaccount
principal_type,principal,role
serviceAccount,[email protected],roles/cloudbuild.builds.builder
serviceAccount,[email protected],roles/cloudbuild.serviceAgent
serviceAccount,[email protected],roles/compute.serviceAgent
serviceAccount,service-555555555555@gcp-sa-computescanning.iam.gserviceaccount.com,roles/computescanning.serviceAgent
serviceAccount,service-555555555555@container-engine-robot.iam.gserviceaccount.com,roles/container.serviceAgent
```
#### Filter by Permission `pparse permission`
```bash
$ gcloud ... | pparse -o table permission storage.objects.get
principal_type principal role
---------------- --------------------------------------------------------------------------- ------------------------------------
serviceAccount [email protected] roles/cloudbuild.builds.builder
serviceAccount [email protected] roles/cloudbuild.serviceAgent
serviceAccount [email protected] roles/containeranalysis.ServiceAgent
serviceAccount service-555555555555@dataflow-service-producer-prod.iam.gserviceaccount.com roles/dataflow.serviceAgent
serviceAccount service-555555555555@gcp-sa-datamigration.iam.gserviceaccount.com roles/datamigration.serviceAgent
serviceAccount [email protected] roles/firebaserules.system
serviceAccount [email protected] roles/firestore.serviceAgent
user [email protected] roles/storage.admin
user [email protected] roles/storage.admin
user [email protected] roles/storage.objectAdmin
user [email protected] roles/storage.objectAdmin
```