Files
Anthropic-Cybersecurity-Skills/skills/auditing-gcp-iam-permissions/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

79 lines
2.2 KiB
Markdown

# API Reference: Auditing GCP IAM Permissions
## google-cloud-asset
### Search All IAM Policies
```python
from google.cloud import asset_v1
client = asset_v1.AssetServiceClient()
request = asset_v1.SearchAllIamPoliciesRequest(
scope="organizations/ORG_ID",
query="policy:roles/owner",
page_size=500,
)
for result in client.search_all_iam_policies(request=request):
print(result.resource, result.policy.bindings)
```
### Analyze IAM Policy (Who Can Access What)
```python
request = asset_v1.AnalyzeIamPolicyRequest(
analysis_query=asset_v1.IamPolicyAnalysisQuery(
scope="organizations/ORG_ID",
identity_selector=asset_v1.IamPolicyAnalysisQuery.IdentitySelector(
identity="user:dev@company.com"
),
)
)
response = client.analyze_iam_policy(request=request)
```
## google-cloud-iam (Service Accounts)
```python
from google.cloud import iam_admin_v1
client = iam_admin_v1.IAMClient()
# List service accounts
request = iam_admin_v1.ListServiceAccountsRequest(name="projects/PROJECT_ID")
for sa in client.list_service_accounts(request=request):
print(sa.email, sa.disabled)
# List user-managed keys
key_req = iam_admin_v1.ListServiceAccountKeysRequest(
name=sa.name,
key_types=[iam_admin_v1.ListServiceAccountKeysRequest.KeyType.USER_MANAGED],
)
```
## google-cloud-resource-manager
```python
from google.cloud import resourcemanager_v3
client = resourcemanager_v3.ProjectsClient()
policy = client.get_iam_policy(request={"resource": "projects/PROJECT_ID"})
for binding in policy.bindings:
print(binding.role, list(binding.members))
```
## Key GCP IAM Roles to Flag
| Role | Risk Level |
|------|-----------|
| `roles/owner` | Critical (full control) |
| `roles/editor` | High (write access all services) |
| `roles/iam.serviceAccountTokenCreator` | High (impersonation) |
| `roles/iam.serviceAccountKeyAdmin` | High (key creation) |
### References
- google-cloud-asset: https://pypi.org/project/google-cloud-asset/
- google-cloud-iam: https://pypi.org/project/google-cloud-iam/
- google-cloud-resource-manager: https://pypi.org/project/google-cloud-resource-manager/
- GCP IAM docs: https://cloud.google.com/iam/docs