Skip to content

Instantly share code, notes, and snippets.

@bgeesaman

bgeesaman/fetchgkecredsroles.sh

Last active July 30, 2019 13:19
Show Gist options
  • Save bgeesaman/ed4480d4eaf93e7e5c39ae8e5c4270c3 to your computer and use it in GitHub Desktop.
Save bgeesaman/ed4480d4eaf93e7e5c39ae8e5c4270c3 to your computer and use it in GitHub Desktop.
Download ZIP
Enumerates GCP IAM Roles with the ability to view Legacy Auth Credentials on GKE Clusters.
Raw
fetchgkecredsroles.sh
#!/usr/bin/env bash
ALL_ROLES="$(gcloud iam roles list --format=json | jq -r '.[].name')"
for i in $ALL_ROLES; do
CURRENT_ROLE="${i}"
CURRENT_ROLE_PERMS="$(gcloud iam roles describe ${i} --format=json | jq -r '.includedPermissions[]?' | egrep 'container.clusters.get$|container.clusters.list')"
if [[ ! -z "${CURRENT_ROLE_PERMS}" ]]; then
echo "${CURRENT_ROLE} has: "
echo "${CURRENT_ROLE_PERMS}"
fi
CURRENT_ROLE_PERMS=""
done
@bgeesaman
Copy link
Author

bgeesaman commented Jul 23, 2019
edited
Loading 

./fetchgkecredsroles.sh
roles/composer.worker has: 
container.clusters.get
container.clusters.list
roles/container.admin has: 
container.clusters.get
container.clusters.list
roles/container.clusterAdmin has: 
container.clusters.get
container.clusters.list
roles/container.clusterViewer has: 
container.clusters.get
container.clusters.list
roles/container.developer has: 
container.clusters.get
container.clusters.list
roles/container.viewer has: 
container.clusters.get
container.clusters.list
roles/editor has: 
container.clusters.get
container.clusters.list
roles/iam.securityAdmin has: 
container.clusters.list
roles/iam.securityReviewer has: 
container.clusters.list
roles/owner has: 
container.clusters.get
container.clusters.list
roles/viewer has: 
container.clusters.get
container.clusters.list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment