GCP Project Audit
This repo will let you audit all the IAM settings on projects in the GCP organization.
This approach was built on top of the excellent work of colleagues at other universities, including UNC Charlotte and Indiana University.
CREATE VM ON GCE
Create a Virtual Machine (VM) in the Google Compute Engine dashboard.
NOTE: You are allowed 1 free F1-micro instance per month in your Google environment. If you don't see the ability to create an F1-micro instance from the dashboard, you can use the following example command in Cloud Shell to create one:
gcloud compute instances create <instance-name> --machine-type=f1-micro --zone=us-east1-b
Once the VM instance has been created, stop the VM instance and change the following setting:
Cloud API access scopes - Allow full access to all Cloud APIs *Hint: copy your service account information for later use*
Start the VM instance, and SSH into it. Run the following commands to prepare the environment for the repo:
sudo apt-get install git
sudo apt-get install python3-pip
sudo pip install pandas
CONFIGURE IAM ROLES
The service account running the VM will need to have rights to query the organization, folders, and projects for the IAM policies.
Create a new role under the main organization (at the root level) with the following permissions:
orgpolicy.policy.get resourcemanager.folders.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list
Once the role has been created, assign it to the VM instance's service account.
CREATE BIGQUERY TABLE
Create a new BigQuery table for this process to dump information to.
Note: If you are using separate projects for BigQuery and Compute Engine, you may need to allow the service account permissions to create jobs and insert data into the table.
COPY SCRIPTS TO GCE VM
SSH into your VM instance, clone the repo to the machine.
git clone https://github.internet2.edu/nyoung/gcp-gce-project-audit-bq.git
Copy settings.default to settings.py and edit the file using your editor of choice (if using Compute Engine, vi / vim / nano come preinstalled on some machines). Example:
cd path/to/repo && cp settings.default settings.py && vi settings.py
Enter your organization ID, app script folder id, and any project IDs you may want to exclude. Example:
ORGANIZATION_ID = '188811122222' APPS_SCRIPT_FOLDER_ID = '555274895555' EXCLUDED_PROJECTS = [my-special-project-id,other-special-project-id]
Next, edit run_audit.sh and set the TABLE variable to your BigQuery table URI.
TIME TO AUTOMATE!
Ensure that execution permission on the run_audit.sh script is allowed. Example:
chmod +x run_audit.sh
0 0 * * 0 /path-to-repo/run_audit.sh
Use crontab (or your favorite scheduler) to execute the script on your desired schedule. IE:
Who do I talk to?
NICK YOUNG Enterprise Analytics Architect University of North Carolina at Greensboro email@example.com TIM WATTS Integrations Specialist University of North Carolina at Greensboro firstname.lastname@example.org