Collection of Bash and Perl scripts that work together with the Google Cloud Platform Policy Analyzer to detect unused Service Accounts (SA) or Service Account Keys (SAK) in large Google Cloud organizations with many projects. Tested and used within Google Cloud organizations of DAX companies.
- Create list with projects:
All projects to which the user has access are saved to
bash 1_projects.sh
projects.csv. The CSV list can be adjusted manually. These projects will be used in the next steps. - Enable "Policy Analyzer" API:
bash 2_enable-api.sh
- Get SA and SAK authentications:
bash 3_get.sh
- Create overview for evaluation:
CSV export
bash 4_query.sh
auth.csvis created. You can import this file into your favorite spreadsheet program.
A few evaluation tips:
Service account keys could pose a security risk if compromised.
More than one user managed key (CSV column: userManaged) is not a good idea.
A Bash shell, Perl, SQLite and a few other tools that are included in many standard GNU/Linux distributions.
In addition, you need the Google Cloud CLI gcloud which is very easy to install.
Linux (Debian/Ubuntu/Cloud Shell)
Install these packages with dependencies:
sudo apt install \
libjson-xs-perl \
libdbd-sqlite3-perlInstall Google Cloud CLI gcloud following these instructions: https://cloud.google.com/sdk/docs/install#deb
macOS (Brew)
Install these Homebrew packages with dependencies:
brew install perl
brew install cpanminus pkg-config
brew install sqlite3
brew install --cask google-cloud-sdkInstall Perl modules with cpanminus:
cpanm --installdeps .Install Google Cloud CLI gcloud following these instructions: https://cloud.google.com/sdk/docs/install#deb
Windows (Cygwin)
Install these Cygwin packages:
- perl
- perl-DBD-SQLite
- perl-JSON-XS
- sqlite3
- python3
Install Google Cloud CLI gcloud following these instructions: https://cloud.google.com/sdk/docs/install
All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.