-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathverify-gcp-roles.sh
More file actions
executable file
·133 lines (116 loc) · 3.75 KB
/
Copy pathverify-gcp-roles.sh
File metadata and controls
executable file
·133 lines (116 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash
# File: verify-gcp-roles.sh
# Verifies GCP service account has only read-only IAM roles for CleanCloud
# Usage: ./verify-gcp-roles.sh <service-account-email> [project-id]
#
# Examples:
# ./verify-gcp-roles.sh cleancloud@my-project.iam.gserviceaccount.com my-project
# ./verify-gcp-roles.sh cleancloud@my-project.iam.gserviceaccount.com # uses current gcloud project
set -e
SA_EMAIL="${1:-}"
PROJECT_ID="${2:-}"
REQUIRED_ROLES=(
"roles/compute.viewer"
"roles/cloudsql.viewer"
"roles/monitoring.viewer"
"roles/browser"
)
# Roles that would indicate write access — none of these should be present
FORBIDDEN_ROLES=(
"roles/owner"
"roles/editor"
"roles/compute.admin"
"roles/compute.instanceAdmin"
"roles/compute.storageAdmin"
"roles/cloudsql.admin"
"roles/cloudsql.editor"
"roles/monitoring.admin"
"roles/monitoring.editor"
"roles/iam.serviceAccountAdmin"
"roles/resourcemanager.projectIamAdmin"
"roles/resourcemanager.organizationAdmin"
)
if [ -z "$SA_EMAIL" ]; then
echo "Usage: ./verify-gcp-roles.sh <service-account-email> [project-id]"
echo ""
echo "Example:"
echo " ./verify-gcp-roles.sh cleancloud@my-project.iam.gserviceaccount.com my-project"
exit 1
fi
echo "Verifying GCP Service Account: $SA_EMAIL"
echo ""
# Check if gcloud is installed
if ! command -v gcloud &> /dev/null; then
echo "ERROR: gcloud CLI not found. Please install: https://cloud.google.com/sdk/docs/install"
exit 1
fi
# Check if logged in
if ! gcloud auth print-access-token &> /dev/null 2>&1; then
echo "ERROR: Not authenticated. Run 'gcloud auth login' first."
exit 1
fi
# Resolve project
if [ -z "$PROJECT_ID" ]; then
PROJECT_ID=$(gcloud config get-value project 2>/dev/null)
if [ -z "$PROJECT_ID" ]; then
echo "ERROR: No project specified and no default project set."
echo "Pass project as second argument or run: gcloud config set project PROJECT_ID"
exit 1
fi
fi
echo "Checking project-level bindings: $PROJECT_ID"
echo ""
# Get all IAM bindings for the SA on this project
MEMBER="serviceAccount:$SA_EMAIL"
BINDINGS=$(gcloud projects get-iam-policy "$PROJECT_ID" \
--flatten="bindings[].members" \
--format="value(bindings.role)" \
--filter="bindings.members=$MEMBER" 2>/dev/null || true)
if [ -z "$BINDINGS" ]; then
echo "WARNING: No project-level IAM bindings found for $SA_EMAIL"
echo " The service account may have org-level bindings instead."
echo " To check org-level bindings, run:"
echo " gcloud organizations get-iam-policy ORG_ID --flatten='bindings[].members' \\"
echo " --format='value(bindings.role)' --filter='bindings.members=serviceAccount:$SA_EMAIL'"
echo ""
else
echo "Roles bound at project level:"
echo "$BINDINGS" | sort | uniq | sed 's/^/ /'
echo ""
# Check for forbidden roles
FOUND_FORBIDDEN=0
for role in "${FORBIDDEN_ROLES[@]}"; do
if echo "$BINDINGS" | grep -q "^${role}$"; then
echo "FAIL: Forbidden role found: $role"
FOUND_FORBIDDEN=1
fi
done
if [ "$FOUND_FORBIDDEN" -eq 0 ]; then
echo "PASS: No write/admin roles found"
echo ""
else
echo ""
exit 1
fi
fi
# Verify required roles are present (either project or org level may have them)
echo "Required roles for CleanCloud:"
ALL_OK=1
for role in "${REQUIRED_ROLES[@]}"; do
if echo "$BINDINGS" | grep -q "^${role}$"; then
echo " PRESENT $role"
else
echo " MISSING $role (may be bound at org level)"
ALL_OK=0
fi
done
echo ""
if [ "$ALL_OK" -eq 1 ]; then
echo "PASS: All required roles are present at project level"
else
echo "NOTE: Some roles not found at project level."
echo " If org-level bindings exist, scanning will still work."
echo " To verify org-level bindings, check with your GCP organization admin."
fi
echo ""
exit 0