GCP IAM troubleshooting and IAM best practices

IAM Access Analyzer

Only works for allows, not denys

GCP Recommender - also includes IAM recs

• Export to bigquery
• some recommendations are around IAM. Unused IAM roles

 unused IAM roles

SELECT *
FROM `<project>.<dataset>.recommendations_export`
WHERE DATE(_PARTITIONTIME) = "<date>"
and recommender = "google.iam.policy.Recommender"
and recommender_subtype = "REMOVE_ROLE"

granted roles that must be replaced by smaller roles

SELECT *
FROM `<project>.<dataset>.recommendations_export`
WHERE DATE(_PARTITIONTIME) = "<date>"
and recommender = "google.iam.policy.Recommender"
and recommender_subtype = "REPLACE_ROLE"

insights for a recommendation

SELECT recommendations.name as recommendation_name,
insights.name as insight_name,
recommendations.cloud_entity_id,
recommendations.cloud_entity_type,
recommendations.recommender,
recommendations.recommender_subtype,
recommendations.description,
recommendations.target_resources,
recommendations.recommendation_details,
recommendations.state,
recommendations.last_refresh_time as recommendation_last_refresh_time,
insights.insight_type,
insights.insight_subtype,
insights.category,
insights.description,
insights.insight_details,
insights.state,
insights.last_refresh_time as insight_last_refresh_time
FROM `<project>.<dataset>.recommendations_export` as recommendations,
   `<project>.<dataset>.insights_export` as insights
WHERE DATE(recommendations._PARTITIONTIME) = "<date>"
and DATE(insights._PARTITIONTIME) = "<date>"
and insights.name in unnest(recommendations.associated_insights)

Asset Inventory to show all IAM Policies on a Project

1. Go to the Asset Inventory page in the Google Cloud console.Go to Asset Inventory
2. To set the scope of your search, open the Projects list box in the menu bar, and then select the organization, folder, or project to query.
3. Select the IAM policy tab.
4. To search policies, you can use a preset query or build your own.
   • To use a preset query, select options from Query Presets on the Filter results pane. To filter results, select options from Filters.

gCloud - show all IAM Bindings on a project