Provides an overview of the IAM policies set up in a Google Cloud Platform (GCP) project. Links between assets and members are stored in a structured manner using neo4j. Relationships between them can, as such, be analysed using the Cypher Query Language in the neo4j frontend.
The tool essentially makes APIs calls to determine the resources and IAM policies set within a GCP project.
You must've installed the Google Cloud SDK.
Next to that, this tool will use your gcloud config to determine which project must be
analysed and which credentials must be used in order to do so. So be sure to have run the
following commands:
gcloud auth application-default login
gcloud config set project {{ project-name }}First, clone the repository to your machine.
git clone git@github.com:bartcode/gcp-iam-viz.git
cd gcp-iam-vizCreate a virtual environment and install the tool.
python3 -m venv venv/
. venv/bin/activate
pip install .Run neo4j in Docker. The database (Postgres) in the backend does not use any authentication.
docker-compose up -dThe iamviz command runs the Python code in this repository to load data from
the Google APIs and load it in a structured manner into your local database.
iamviz
Go to http://localhost:7474 and log in without credentials. This should show all tags that are loaded from your GCP project.
MATCH (proj:Project)-[:CONTAINS]->(res)<-[pol:HAS_POLICY]-(mem:Member)
WHERE mem.email = "user:user@yourdomain.com"
RETURN proj,res,pol,mem
MATCH (proj:Project)-[:CONTAINS]->(res)<-[pol:HAS_POLICY]-(mem:Member)
RETURN proj,res,pol,mem
To show the role of an IAM policy as the caption of a relationship, click
HAS_POLICY under the query bar. Subsequently, click <id>, <type>, <role>,
or <scope> at the bottom of the visualisation to use it.
- Only works on single projects. Haven't implemented to scan the entire organisational tree (yet).
- Only searchable asset types are shown AND storage buckets.