GCP IAM: In IAM, permission to access a resource isn't granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource Ref: https://cloud.google.com/iam/docs/overview
So basically, Access control for Google Cloud resources is managed by IAM policies. An IAM policy is attached to a resource.
With Cloud resource manager API we can retrieve Policy and check the permissions assigned to user, but it's resource-centric. Policy for Organization, folder, projects, etc can be retrieved. Example: https://cloud.google.com/resource-manager/reference/rest/v1/organizations/getIamPolicy
Cloud asset inventory: Has an API to search all iam polcies. With the Query Parameter it has a filter for user but it supports sub set of resources on which iam polciy can be assigned API: https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllIamPolicies Reference:
- https://cloud.google.com/asset-inventory/docs/supported-asset-types
- https://cloud.google.com/iam/docs/resource-types-with-policies
Question: Is there any way to fetch all the permissions granted to identity across all GCP resources instead of checking IAM Policy of each and every resource?
Basically looking for a consolidated view of all the permissions granted to an Identity in GCP. The problem is for understanding permissions assigned to a user on a single resource, with API, We have to fetch all the resource policies and check their bindings
As of now there is not a gcloud or API call that can be used to check the permissions granted to a particular resource (such as user, service account, etc.) easily as per explained on your question. As you are already aware you could use the relevant gcloud command to search for the specific roles assigned at each distinct resource, e.g.:
Resulting in e.g.:
And from these response parse the fields corresponding to the
role:
assigned at each resource to see which permissions are assigned to that specific role using the relevant gcloud command:and check the output corresponding to the
includedPermissions:
fields.I will therefore recommend you to star and follow this Feature Request on GCP's Public Issue Tracker to check the feasibility (or not) of this issue to be implemented in the future.