I have a GSA: [email protected]
GCP has supported groups for a while now so I added that GSA to a bunch of groups.
How can I easily see what groups that GSA belongs to?
If this was a google user account I could go to the G Suite console and view the user's group membership. This is a GSA though and it does not appear in the G Suite console like that.
Ideally I could see this in some web console page or with gcloud. This gcloud command will show me the members of a group: https://cloud.google.com/sdk/gcloud/reference/beta/identity/groups/memberships/list. How do I do the inverse of that, again for a GSA not a google user account?
EDIT
Not a solution but a script to search all groups. Still think there has to be an API call to get this as a single step. The groups.memberships.searchTransitiveGroups() method I think is only for seeing nested group memberships.
[email protected]
PROJECT_ID=projectname # This can be any project in the org
ORG_ID="$(gcloud projects get-ancestors $PROJECT_ID | grep organization | cut -f1 -d' ')"
# I don't think this label includes GCP security groups just G Suite email groups
GROUPS="$(gcloud beta identity groups search --organization=$ORG_ID --labels='cloudidentity.googleapis.com/groups.discussion_forum' --format='json')"
GROUP_EMAILS="$(echo $GROUPS | jq '.groups[] | .groupKey.id')"
echo $GROUP_EMAILS | \
xargs -I {} sh -c "echo {} && \
gcloud beta identity groups memberships list --group-email="{}" --format=json | \
jq '.[] | select(.memberKey.id==\"$GSA_TO_SEARCH\").memberKey.id'"