Skip to main content

La maruja digital

Las recetas de mi vida electrónica

Comparing permissions in two Google Cloud IAM roles

Sometimes you have to compare two Google Cloud IAM roles, and if they have lots of permissions assigned, it can be difficult (or tedious) to find the differences.

We can do it super quick and obvious thanks to the semantic diff used by our friend dyff.

We'll need:

  • The gcloud CLI tool (configured and logged in, of course)
  • dyff (you can do it with diff but it's uglier)

Example:

SOURCE_ROLE='roles/dataproc.admin'
DESTINATION_ROLE='roles/dataproc.editor'
dyff between \
  <(gcloud iam roles describe ${SOURCE_ROLE} --format=yaml) \
  <(gcloud iam roles describe ${DESTINATION_ROLE} --format=yaml)

That will give us this output (but in pretty highlighted colors) in our terminal:

     _        __  __
   _| |_   _ / _|/ _|  between /dev/fd/13
 / _' | | | | |_| |_       and /dev/fd/14
| (_| | |_| |  _|  _|
 \__,_|\__, |_| |_|   returned four differences
        |___/

description
  ± value change
    - Full control of Dataproc resources.
    + Full control of Dataproc resources. Allows viewing all networks.

includedPermissions
  - ten list entries removed:
    - dataproc.autoscalingPolicies.getIamPolicy
    - dataproc.autoscalingPolicies.setIamPolicy
    - dataproc.clusters.getIamPolicy
    - dataproc.clusters.setIamPolicy
    - dataproc.jobs.getIamPolicy
    - dataproc.jobs.setIamPolicy
    - dataproc.operations.getIamPolicy
    - dataproc.operations.setIamPolicy
    - dataproc.workflowTemplates.getIamPolicy
    - dataproc.workflowTemplates.setIamPolicy

name
  ± value change
    - roles/dataproc.admin
    + roles/dataproc.editor

title
  ± value change
    - Dataproc Administrator
    + Dataproc Editor

We could use different options like -b to remove the fancy dyff header, or -o to change the format, for example to GitHub diff, and get syntax highlighting in some places:

dyff between -o github \
  <(gcloud iam roles describe ${SOURCE_ROLE} --format=yaml) \
  <(gcloud iam roles describe ${DESTINATION_ROLE} --format=yaml)

Output:

SOURCE_ROLE='roles/dataproc.admin'
DESTINATION_ROLE='roles/dataproc.editor'
@@ description @@
! ± value change
- Full control of Dataproc resources.
+ Full control of Dataproc resources. Allows viewing all networks.

@@ includedPermissions @@
! - ten list entries removed:
- - dataproc.autoscalingPolicies.getIamPolicy
- - dataproc.autoscalingPolicies.setIamPolicy
- - dataproc.clusters.getIamPolicy
- - dataproc.clusters.setIamPolicy
- - dataproc.jobs.getIamPolicy
- - dataproc.jobs.setIamPolicy
- - dataproc.operations.getIamPolicy
- - dataproc.operations.setIamPolicy
- - dataproc.workflowTemplates.getIamPolicy
- - dataproc.workflowTemplates.setIamPolicy

@@ name @@
! ± value change
- roles/dataproc.admin
+ roles/dataproc.editor

@@ title @@
! ± value change
- Dataproc Administrator
+ Dataproc Editor

Check the options for more fun:

dyff between --help