gcp-gcloud-get-serviceaccounts-roles

gistfile1.txt

#! /usr/bin/env bash
# Get all roles attached to all service accounts, users, groups per project per environment in GCP
# Dependencies: Create and auth GCP named config using $gcloud config configurations create <env>|<named config>
# Requires: gcloud, jq
set -e

ENVLIS="dev tst stg prd"
PROJECTLIST="/tmp/projects"
SALIST="/tmp/sa"
TIMESTAMP=$(date "+%Y%m%d%H%M")
OUTLIST="/tmp/out-${TIMESTAMP}"

for ENV in ${ENVLIS}
do
  echo "enabling GCP creds for ${ENV}..."
  gcloud config configurations activate ${ENV}
  gcloud projects list --format=json |jq -r .[].projectId | grep ${ENV} | sort -u > ${PROJECTLIST}-${ENV}

  for PROJECT in $(cat ${PROJECTLIST}-${ENV})
  do
    echo -e "\nProject: ${PROJECT}" | tee -a ${OUTLIST}-${ENV}.txt
    gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --format=json | jq -r .[].bindings.members | sort -u > ${SALIST}-${PROJECT}-${ENV}

    for SA in $(cat ${SALIST}-${PROJECT}-${ENV})
    do
     gcloud projects get-iam-policy ${PROJECT} --flatten="bindings[].members" --filter="bindings.members:${SA}" --format='table[no-heading](bindings.members,bindings.role)' | tee -a  ${OUTLIST}-${ENV}.txt
    done

  done

done