Member-only story
Google Cloud — IAM users extraction across all projects in a GCP org

Any enterprise would always like to know who has access and what level of access the users have to their systems and resources. You can get the users and groups information from your identity solution like Okta, Cloud identity etc.
GCP’s opensource security tool , Forseti security also enables you to get the user list, groups and roles for your entire org., actually it can do more than that like collecting your entire organization’s inventory , visualizing it, reporting violations, etc.. it is separate topic for itself, so we will concentrate only on IAM now.
Let’s see how to retrieve all the users list information from google cloud org in a cloud shell. To get the user list from a project , the below gcloud command is used
gcloud projects get-iam-policy $projectname
It displays the result in yaml format, which i find very difficult to read and interpret on who has access and what role they have, when the list is huge. [ You might have a different view on this :) ]
--members
- john.smith@somecompany.com
- jane.doe@somecompany.com
role: roles/viewer
Even if you are an org-admin, you wont be able to get the list of users for all projects in a single gcloud command . I think there might be a reason behind , on why google would want to display the user list structure in yaml format and limit the results to a single project, but wouldn’t be it nicer if it displays the user list in the below format, [ :) ] so you can easily filter the roles and users in an excel sheet.
So we will go ahead and do that, I have given the steps involved in extraction as below,
- Iterate through projects
- use — format=”table(bindings)[0]” to extract the information in json format. (Note: I am comfortable with working on data in json format, if you think it is much more easier to retrieve the information in yaml format, you can also use that )
- Clean the output from extra words and spaces (sed -e ‘s/^\w*\ *//’| tail -c +2)
- pipe the output to a python file.
- Use the json library to reformat the data and clean it further to display it in csv format.