Skip to content

Instantly share code, notes, and snippets.

@yihyang

yihyang/02 - IAM Custom Roles

Last active April 7, 2025 01:17
Show Gist options
  • Save yihyang/15399009407e265c557b804d652a88b6 to your computer and use it in GitHub Desktop.
Save yihyang/15399009407e265c557b804d652a88b6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
02 - IAM Custom Roles
IAM Custom Roles
# Understanding IAM Custom Roles
<service>.<resource>.<verb>
# Viewing the available permissions for a resource
## List current permission
gcloud iam list-testable-permissions //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID
# Getting the role metadata
gcloud iam roles describe [ROLE_NAME]
# Viewing the grantable roles on resources
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID
# Creating a custom role
gcloud iam roles create
# To create a custom role using a YAML file
title: [ROLE_TITLE]
description: [ROLE_DESCRIPTION]
stage: [LAUNCH_STAGE]
includedPermissions:
- [PERMISSION_1]
- [PERMISSION_2]
title: "Role Editor"
description: "Edit access for App Versions"
stage: "ALPHA"
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
gcloud iam roles create editor --project $DEVSHELL_PROJECT_ID \
--file role-definition.yaml
# Create a custom role using flags
gcloud iam roles create viewer --project $DEVSHELL_PROJECT_ID \
--title "Role Viewer" --description "Custom role description." \
--permissions compute.instances.get,compute.instances.list --stage ALPHA
# Listing the custom roles
gcloud iam roles list --project $DEVSHELL_PROJECT_ID
gcloud iam roles list
# Editing an existing custom role
gcloud iam roles update
# To update a custom role using a YAML file
gcloud iam roles describe [ROLE_ID] --project $DEVSHELL_PROJECT_ID
nano new-role-definition.yaml
description: Edit access for App Versions
etag: BwVxIAbRq_I=
includedPermissions:
- appengine.versions.create
- appengine.versions.delete
- storage.buckets.get
- storage.buckets.list
name: projects/[PROJECT_ID]/roles/editor
stage: ALPHA
title: Role Editor
# To update a custom role using flags
gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID \
--add-permissions storage.buckets.get,storage.buckets.list
gcloud iam roles update [ROLE_ID] --project $DEVSHELL_PROJECT_ID \
--file new-role-definition.yaml
# Disabling a custom role
gcloud iam roles update viewer --project $DEVSHELL_PROJECT_ID \
--stage DISABLED
# Deleting a custom role
gcloud iam roles delete viewer --project $DEVSHELL_PROJECT_ID
# Undeleting a custom role
gcloud iam roles undelete viewer --project $DEVSHELL_PROJECT_ID
Raw
04 - Securing Google Cloud with CFT Scorecard
Securing Google Cloud with CFT Scorecard
# Setup environment
export GOOGLE_PROJECT=$DEVSHELL_PROJECT_ID
export CAI_BUCKET_NAME=cai-$GOOGLE_PROJECT
gcloud services enable cloudasset.googleapis.com \
--project $GOOGLE_PROJECT
git clone https://github.com/forseti-security/policy-library.git
cp policy-library/samples/storage_blacklist_public.yaml policy-library/policies/constraints/
gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://$CAI_BUCKET_NAME
# Collect the data using Cloud Asset Inventory (CAI)
# Export resource data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/resource_inventory.json \
--content-type=resource \
--project=$GOOGLE_PROJECT
# Export IAM data
gcloud asset export \
--output-path=gs://$CAI_BUCKET_NAME/iam_inventory.json \
--content-type=iam-policy \
--project=$GOOGLE_PROJECT
# Analyze the CAI data with CFT Scorecard
curl -o cft https://storage.googleapis.com/cft-cli/latest/cft-linux-amd64
# make executable
chmod +x cft
./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
## Add a new policy to blacklist the IAM Owner Role
cat > policy-library/policies/constraints/iam_whitelist_owner.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
name: whitelist_owner
annotations:
description: List any users granted Owner
spec:
severity: high
match:
target: ["organization/*"]
exclude: []
parameters:
mode: whitelist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/owner
members:
- "serviceAccount:[email protected]"
EOF
./cft scorecard --policy-path=policy-library/ --bucket=$CAI_BUCKET_NAME
export USER_ACCOUNT="$(gcloud config get-value core/account)"
export PROJECT_NUMBER=$(gcloud projects describe $GOOGLE_PROJECT --format="get(projectNumber)")
# Add a new policy to whitelist the IAM Editor Role
cat > policy-library/policies/constraints/iam_identify_outside_editors.yaml << EOF
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
name: identify_outside_editors
annotations:
description: list any users outside the organization granted Editor
spec:
severity: high
match:
target: ["organization/*"]
exclude: []
parameters:
mode: whitelist
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/editor
members:
- "user:$USER_ACCOUNT"
- "serviceAccount:*$PROJECT_NUMBER*gserviceaccount.com"
- "serviceAccount:$GOOGLE_PROJECT*gserviceaccount.com"
EOF
Raw
05 - VPC Network Peering
# VPC Network Peering
# at project a
gcloud compute networks create network-a --subnet-mode custom
gcloud compute networks subnets create network-a-central --network network-a \
--range 10.0.0.0/16 --region us-central1
gcloud compute instances create vm-a --zone us-central1-a --network network-a --subnet network-a-central
gcloud compute firewall-rules create network-a-fw --network network-b --allow tcp:22,icmp
# at project b
gcloud compute networks create network-b --subnet-mode custom
gcloud compute networks subnets create network-b-central --network network-b \
--range 10.8.0.0/16 --region us-central1
gcloud compute instances create vm-b --zone us-central1-a --network network-b --subnet network-b-central
gcloud compute firewall-rules create network-b-fw --network network-b --allow tcp:22,icmp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment