# Comprehensive View
To get a comprehensive view of where a given account (e.g., function-runner-writer@abc.iam.serviceaccount.com) is used across your Google Cloud services and resources, there are several methods and tools that can help identify its dependencies. Here’s a step-by-step guide:

## 1. Using Google Cloud Console IAM Policy Analysis (Cloud Asset Inventory)
Google Cloud provides Cloud Asset Inventory and IAM Policy Analyzer, which can be used to trace the access and usage of a service account across various resources.

* Go to Cloud Console:
  * Navigate to **IAM & Admin** > **IAM Policy Analyzer**.
  * In the **IAM Policy Analyzer**, you can search for a specific service account.
* Analyze IAM Policies:
* Enter the service account email (e.g., function-runner-writer@abc.iam.serviceaccount.com).
* Choose the Scope (e.g., entire project, folder, or organization).
* Run the analysis, which will display the resources that this service account has access to and the types of permissions it has on each resource.
* You can view the roles assigned and understand its permissions across different services.

2. Using Cloud Asset Inventory API with Python for Detailed Resource Scanning
The **Cloud Asset Inventory API** allows you to programmatically search for IAM bindings for a specific service account across all resources in your project, folder, or organization. Here’s a Python script that uses the `cloudasset` API to check where a service account is referenced.

* Set Up Cloud Asset Inventory:
  * Enable the Cloud Asset Inventory API in your Google Cloud project.
* Install Google Cloud SDK:
* Install google-cloud-asset if not already installed:
```bash
pip install google-cloud-asset
```
3. Python Script to Search for Service Account Bindings:
The following script searches for IAM policies across assets in a project, filtering specifically for resources where the service account is assigned roles.

Refer below Code.

Output: This script lists all resources in the project that grant roles to the specified service account.

In [2]:
from google.cloud import asset_v1

def search_service_account_bindings(project_id, service_account_email):
    client = asset_v1.AssetServiceClient()
    scope = f"projects/{project_id}"
    query = f"policy: {service_account_email}"

    request = asset_v1.SearchAllIamPoliciesRequest(scope=scope, query=query)
    response = client.search_all_iam_policies(request=request)

    print(f"Resources where {service_account_email} has permissions:")
    for policy in response:
        print(f"Resource: {policy.resource}")
        print(f"Role(s): {[binding.role for binding in policy.policy.bindings if service_account_email in binding.members]}")
        print("-----")

# Usage
project_id = "gcphde-prim-dev-data"
service_account_email = "awsmayanktripathi@gmail.com"
search_service_account_bindings(project_id, service_account_email)


Resources where awsmayanktripathi@gmail.com has permissions:
Resource: //bigquery.googleapis.com/projects/gcphde-prim-dev-data/datasets/MyDataflowJob_ds
Role(s): []
-----
Resource: //dataform.googleapis.com/projects/gcphde-prim-dev-data/locations/us-central1/repositories/db5c66a1-a978-4ba4-be1a-fa8016c757df
Role(s): []
-----
Resource: //bigquery.googleapis.com/projects/gcphde-prim-dev-data/datasets/Project_Logs
Role(s): []
-----
Resource: //cloudresourcemanager.googleapis.com/projects/gcphde-prim-dev-data
Role(s): []
-----
