forked from webpwnized/gcp-audit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutility-list-accounts-with-privileges.sh
executable file
·96 lines (86 loc) · 2.72 KB
/
utility-list-accounts-with-privileges.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
declare ROLE="owner";
declare PROJECT_IDS="";
declare DEBUG="False";
declare CSV="False";
declare ICH="False";
declare HELP=$(cat << EOL
$0 [-r,--role] [-p, --project PROJECT] [-c, --csv] [-i, --include-column-headers] [-d, --debug] [-h, --help]
EOL
);
for arg in "$@"; do
shift
case "$arg" in
"--help") set -- "$@" "-h" ;;
"--debug") set -- "$@" "-d" ;;
"--csv") set -- "$@" "-c" ;;
"--include-column-headers") set -- "$@" "-i" ;;
"--role") set -- "$@" "-r" ;;
"--project") set -- "$@" "-p" ;;
*) set -- "$@" "$arg"
esac
done
while getopts "hdcip:r:" option
do
case "${option}"
in
r)
ROLE=${OPTARG};;
p)
PROJECT_IDS=${OPTARG};;
d)
DEBUG="True";;
c)
CSV="True";;
i)
ICH="True";;
h)
echo $HELP;
exit 0;;
esac;
done;
if [[ $PROJECT_IDS == "" ]]; then
declare PROJECT_IDS=$(gcloud projects list --format="json");
else
declare PROJECT_IDS=$(gcloud projects list --format="json" --filter="name:$PROJECT_IDS");
fi;
if [[ $PROJECT_IDS != "[]" ]]; then
if [[ $ICH == "True" ]]; then
echo "\"PROJECT_ID\", \"PROJECT_NAME\", \"PROJECT_OWNER\", \"PROJECT_APPLICATION\", \"ACCOUNT\", \"ACCOUNT_TYPE\", \"ENVIRONMENT\"";
fi;
echo $PROJECT_IDS | jq -rc '.[]' | while IFS='' read PROJECT;do
PROJECT_ID=$(echo $PROJECT | jq -r '.projectId');
PROJECT_NAME=$(echo $PROJECT | jq -r '.name');
PROJECT_OWNER=$(echo $PROJECT | jq -r '.labels.adid');
PROJECT_APPLICATION=$(echo $PROJECT | jq -r '.labels.app');
MEMBERS=$(gcloud projects get-iam-policy $PROJECT_ID --format="json" | jq -r '.bindings[] | select(.role=="roles/'$ROLE'") | .members[]');
ENVIRONMENT="";
for ENV in "sandbox" "dev" "sys" "uat" "prod"; do
if [[ $(grep -ic $ENV <<< $PROJECT_ID) == 1 ]]; then
ENVIRONMENT=$ENV;
fi;
done;
if [[ $MEMBERS != "" ]]; then
if [[ $CSV != "True" ]]; then
echo "Project ID: $PROJECT_ID";
echo "Project Name: $PROJECT_NAME";
echo "Project Owner: $PROJECT_OWNER";
echo "Project Application: $PROJECT_APPLICATION";
echo -e "Members ($ROLE role):\n$MEMBERS";
echo "Environment: $ENVIRONMENT";
echo "";
else
for MEMBER in $MEMBERS;do
ACCOUNT_TYPE=$(echo $MEMBER | cut -d ":" -f1);
ACCOUNT=$(echo $MEMBER | cut -d ":" -f2);
echo "\"$PROJECT_ID\", \"$PROJECT_NAME\", \"$PROJECT_OWNER\", \"$PROJECT_APPLICATION\", \"$ACCOUNT\", \"$ACCOUNT_TYPE\", \"$ENVIRONMENT\"";
done;
fi;
fi;
done;
else
if [[ $CSV != "True" ]]; then
echo "No projects found";
echo "";
fi;
fi;