moesy · April 24, 2024 08:44
diff --git a/list_sa_rotators.sh b/list_sa_rotators.sh
 #!/bin/bash

 # Function to retrieve and validate project ID
 #
 # Args:
 #   $1: The potential project ID to validate. 
 #
 # Returns:
 #   A validated project ID on success, exits with an error message on failure.
 get_project_id() {
  local potential_project_id="$1"

  if [[ -z "$potential_project_id" ]]; then
    echo "Error: Project ID is required."
    exit 1
  fi

  # Check if gcloud CLI is installed
  if ! command -v gcloud &> /dev/null; then
    echo "Error: gcloud CLI is not installed. Please install it first."
    exit 1
  fi

  # Basic validation to ensure the provided ID resembles a project ID format
  if [[ ! "$potential_project_id" =~ ^[a-z0-9-]+$ ]]; then
    echo "Error: Invalid project ID format."
    exit 1
  fi

  echo "$potential_project_id"
 }

 # Get and validate the project ID
 project_id=$(get_project_id "$1")

 # List service accounts within the specified project
 service_accounts=$(gcloud iam service-accounts list --project $project_id --format='value(email)')

 # Iterate over each service account
 for sa in $service_accounts; do

  # List keys for the service account, focusing on user-managed keys
  keys=$(gcloud iam service-accounts keys list --iam-account $sa --project $project_id \
           --filter="keyType:USER_MANAGED" \
           --format='table(name, validAfterTime, validBeforeTime)')

  # Check if the service account has any user-managed keys
  if [[ -n "$keys" ]]; then 
    echo "### Service Account: $sa"
    echo "$keys"

    # PROJECT-LEVEL CHECK: Find members with potential key rotation permissions
    project_members=$(gcloud projects get-iam-policy "$project_id" \
                    --flatten="bindings[].members" \
                    --format="table(bindings.role, bindings.members)" \
                    --filter="(bindings.role:roles/iam.serviceAccountKeyAdmin OR bindings.role:roles/iam.serviceAccountUser) AND bindings.members:user:*") 

    if [[ -n "$project_members" ]]; then
      echo "Potential key rotators (Project-Level):"
      echo "$project_members"
    fi

    # SERVICE ACCOUNT-LEVEL CHECK: Find members with potential key rotation permissions
    sa_members=$(gcloud iam service-accounts get-iam-policy $sa --project $project_id \
                    --flatten="bindings[].members" \
                    --format="table(bindings.role, bindings.members)" \
                    --filter="(bindings.role:roles/iam.serviceAccountKeyAdmin OR bindings.role:roles/iam.serviceAccountUser) AND bindings.members:user:*")

    if [[ -n "$sa_members" ]]; then
      echo "Potential key rotators (Service Account-Level):"
      echo "$sa_members"
    fi

    echo "-------------------------" # Separator between accounts
  fi
 done
	#!/bin/bash

	# Function to retrieve and validate project ID
	#
	# Args:
	# $1: The potential project ID to validate.
	#
	# Returns:
	# A validated project ID on success, exits with an error message on failure.
	get_project_id() {
	local potential_project_id="$1"

	if [[ -z "$potential_project_id" ]]; then
	echo "Error: Project ID is required."
	exit 1
	fi

	# Check if gcloud CLI is installed
	if ! command -v gcloud &> /dev/null; then
	echo "Error: gcloud CLI is not installed. Please install it first."
	exit 1
	fi

	# Basic validation to ensure the provided ID resembles a project ID format
	if [[ ! "$potential_project_id" =~ ^[a-z0-9-]+$ ]]; then
	echo "Error: Invalid project ID format."
	exit 1
	fi

	echo "$potential_project_id"
	}

	# Get and validate the project ID
	project_id=$(get_project_id "$1")

	# List service accounts within the specified project
	service_accounts=$(gcloud iam service-accounts list --project $project_id --format='value(email)')

	# Iterate over each service account
	for sa in $service_accounts; do

	# List keys for the service account, focusing on user-managed keys
	keys=$(gcloud iam service-accounts keys list --iam-account $sa --project $project_id \
	--filter="keyType:USER_MANAGED" \
	--format='table(name, validAfterTime, validBeforeTime)')

	# Check if the service account has any user-managed keys
	if [[ -n "$keys" ]]; then
	echo "### Service Account: $sa"
	echo "$keys"

	# PROJECT-LEVEL CHECK: Find members with potential key rotation permissions
	project_members=$(gcloud projects get-iam-policy "$project_id" \
	--flatten="bindings[].members" \
	--format="table(bindings.role, bindings.members)" \
	--filter="(bindings.role:roles/iam.serviceAccountKeyAdmin OR bindings.role:roles/iam.serviceAccountUser) AND bindings.members:user:*")

	if [[ -n "$project_members" ]]; then
	echo "Potential key rotators (Project-Level):"
	echo "$project_members"
	fi

	# SERVICE ACCOUNT-LEVEL CHECK: Find members with potential key rotation permissions
	sa_members=$(gcloud iam service-accounts get-iam-policy $sa --project $project_id \
	--flatten="bindings[].members" \
	--format="table(bindings.role, bindings.members)" \
	--filter="(bindings.role:roles/iam.serviceAccountKeyAdmin OR bindings.role:roles/iam.serviceAccountUser) AND bindings.members:user:*")

	if [[ -n "$sa_members" ]]; then
	echo "Potential key rotators (Service Account-Level):"
	echo "$sa_members"
	fi

	echo "-------------------------" # Separator between accounts
	fi
	done