3.8 KiB
3.8 KiB
Delegated Role Grants
This example shows how to implement delegated role grants in GCP.
Running the example
Clone this repository or open it in cloud shell, then go through the following steps to create resources:
terraform initterraform apply -var project_id=my-project-id 'project_administrators=["user:project-admin@example.com"]'
Once done testing, you can clean up resources by running terraform destroy.
Auditing Roles
This example include a python script that ensure audits a list of roles to ensure you're not granting the setIamPolicy permissions at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
pip3 install -r requirements.txt
gcloud iam roles list --filter="name:roles/compute. stage=GA" --format="get(name)" > roles.txt
python3 audit.py roles.txt
If you get any warnings, check the roles you're and remove any of them granting any of the following permissions
resourcemanager.projects.setIamPolicyresourcemanager.folders.setIamPolicyresourcemanager.organizations.setIamPolicy
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| project_administrators | List identities granted administrator permissions. | list(string) |
✓ | |
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | string |
✓ | |
| delegated_role_grants | List of roles that project administrators will be allowed to grant/revoke. | list(string) |
... |
|
| direct_role_grants | List of roles granted directly to project administrators. | list(string) |
... |
|
| project_create | Create project instead of using an existing one. | bool |
false |