Copy permissions from roles to an existing organization custom role [374151449]

Assigned

Bug

Status Update

No update yet.

Description

fo...@google.com

created issue #1

Oct 17, 2024 08:28PM

This will create a feature request which anybody can view and comment on.

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

Customer want to have an easy way to copy permissions from roles to an existing organization's custom role.

# What you would like to accomplish:

Customer would like to have a gcloud command that helps copy roles to an existing organization's custom role in order to avoid the manual effort on this dutty.

How this might work:

1- When run the following command "gcloud iam roles copy" to have the possibility to add a flag for adding a .YAML file.

2- Create a .YAML file for adding at least 30 roles that want to copy like below:

# cat my_file.yaml
-roles/serviceusage.apiKeysAdmin
-roles/apigateway.admin
-roles/artifactregistry.admin
-roles/bigquery.admin

3-Run the following command:

gcloud iam roles copy --source-file=/home/test/my_file.yaml --destination=CUSTOM_ROLE --dest-organization=ORGANIZATION_ID

CUSTOM_ROLE: This custom role should be an existing organization custom role

ORGANIZATION_ID: My own organization.

Once run the previous command, the output will be

The permissions associated with the roles that were added in the .YAML file are in the existing organization custom role.

# If applicable, reasons why alternative solutions are not sufficient:

There exists a way to do using the Google Cloud Console but it could be a tedious task when there are more than 20 roles.

Using the Google Console. I have tested the following:

Navigate to:

IAM & Admin
Roles
Just select my preferred roles (e.g API Keys Admin, Artifact Registry etc) once you have selected more than one as your preference
In the top you will be able to click on the label “ Create a role from Selection”
Fill out the required values for completion
Click on “ Save ” button
Note: This feature is available for the creation of a new one custom role either ORG level or a project level.

#Other information (workarounds you have tried, documentation consulted, etc):

PRE REQUISITES: Custom Role created at ORG LEVEL without permission or at least one.

1- This commands helps you to describe a role

RUN gcloud iam roles describe ROLE_ID --organization=ORGANIZATION_ID

Example gcloud iam roles describe breakglass --organization=ORGANIZATION_ID

gcloud iam roles describe roles/serviceusage.apiKeysAdmin // No require to define the Organization ID

ROLE_ID: Replace using the custom name that you have already defined a custom role or look for a pre-defined role

ORGANIZATION_ID : Replace using a numeric value

NOTE: Please make sure before proceeding with the next step the following values should be matching: description, etag, name and title

This depends on the values that you were setup when the custom role was created.

Please kindly note that you have to merge the both exporting files but you should consider the existing custom role that you have already created before starting these steps.

Please kindly note if the existing custom role has at least one role, you should need to copy the roles under the appropriate property called: " includedPermissions: "

Please kindly note if the existing custom role has anyone's role, you should have to add the following property : " includedPermissions: " and under that property you should copy the permissions you want to add.

Note: Those permissions that you want to add, you should add manually and merge using the existing custom role.

For example:

gcloud iam roles describe breakglass --organization=xxxxx00009
etag: BwYkeG_BG7o=
includedPermissions:
- apikeys.keys.create
- apikeys.keys.delete
name: organizations/xxxxx00009/roles/breakglass
stage: ALPHA
title: breakglass

2- This command helps you exporting the permissions of the role to a .yaml file

RUN gcloud iam roles describe ROLE_ID --organization=ORGANIZATION_ID > my_file.yaml

Example gcloud iam roles describe breakglass --organization=ORGANIZATION_ID

3- This commands get the current path of the “ my_file.yaml ”

RUN pwd my_file.yaml

4- This command helps you updating an existing role a ORG level

RUN: gcloud iam roles update ROLE_ID --organization=ORGANIZATION_ID --file=YAML_FILE_PATH

Example: gcloud iam roles update testRole123 --organization=xxx0009 --file=/home/test/my_file.yaml

YAML_FILE_PATH : Output of the command pwd of the yaml file

Documentation:

[1]

https://cloud.google.com/sdk/gcloud/reference/iam/roles/describe

[2]

https://cloud.google.com/sdk/gcloud/reference/iam/roles/update

[3]

https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

Comments

ma...@google.com <ma...@google.com> Oct 18, 2024 05:07AM

Assigned to ma...@google.com.

ma...@google.com <ma...@google.com> #2Oct 18, 2024 09:55AM

Reassigned to gc...@google.com.

Hello,

Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.

Issue 374151449

Description

Issue summary

Comments

ma...@google.com <ma...@google.com> Oct 18, 2024 05:07AM

ma...@google.com <ma...@google.com> #2Oct 18, 2024 09:55AM

Add comment

Issue metadata