Skip to content
Permalink
12d11a0a27
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
101 lines (61 sloc) 3.33 KB
# GCP Project Audit #
This repo will let you audit all the IAM settings on projects in the GCP organization.
## KUDOS ##
This approach was built on top of the excellent work of colleagues at other universities, including UNC Charlotte and Indiana University.
# INSTRUCTIONS #
## CREATE VM ON GCE ##
Create a Virtual Machine (VM) in the Google Compute Engine dashboard.
**NOTE:** You are allowed [1 free F1-micro instance per month](https://cloud.google.com/free/) in your Google environment. If you don't see the ability to create an F1-micro instance from the dashboard, you can use the following example command in Cloud Shell to create one:
```gcloud compute instances create <instance-name> --machine-type=f1-micro --zone=us-east1-b```
Once the VM instance has been created, stop the VM instance and change the following setting:
Cloud API access scopes - Allow full access to all Cloud APIs
*Hint: copy your service account information for later use*
Start the VM instance, and SSH into it. Run the following commands to prepare the environment for the repo:
Install git:
```sudo apt-get install git```
Install pip3:
```sudo apt-get install python3-pip```
Install pandas:
```sudo pip install pandas```
## CONFIGURE IAM ROLES ##
The service account running the VM will need to have rights to query the organization, folders, and projects for the IAM policies.
Create a new role under the main organization (at the root level) with the following permissions:
orgpolicy.policy.get
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
Once the role has been created, assign it to the VM instance's service account.
## CREATE BIGQUERY TABLE ##
Create a new BigQuery table for this process to dump information to.
Note: If you are using separate projects for BigQuery and Compute Engine, you may need to allow the service account permissions to create jobs and insert data into the table.
## COPY SCRIPTS TO GCE VM ##
SSH into your VM instance, clone the repo to the machine.
```git clone https://github.internet2.edu/nyoung/gcp-gce-project-audit-bq.git```
Copy settings.default to settings.py and edit the file using your editor of choice (if using Compute Engine, vi / vim / nano come preinstalled on some machines). Example:
```cd path/to/repo && cp settings.default settings.py && vi settings.py```
Enter your organization ID, app script folder id, and any project IDs you may want to exclude. Example:
```
ORGANIZATION_ID = '188811122222'
APPS_SCRIPT_FOLDER_ID = '555274895555'
EXCLUDED_PROJECTS = [my-special-project-id,other-special-project-id]
```
Next, edit run_audit.sh and set the TABLE variable to your BigQuery table URI.
```vi run_audit.sh```
## TIME TO AUTOMATE! ##
Ensure that execution permission on the run_audit.sh script is allowed. Example:
```chmod +x run_audit.sh```
```0 0 * * 0 /path-to-repo/run_audit.sh```
Use crontab (or your favorite scheduler) to execute the script on your desired schedule. IE:
```crontab -e```
## Who do I talk to? ##
NICK YOUNG
Enterprise Analytics Architect
University of North Carolina at Greensboro
nickyoung@uncg.edu
TIM WATTS
Integrations Specialist
University of North Carolina at Greensboro
timwatts@uncg.edu