Skip to content

GCP Pre Onboarding Check

Before onboarding SailPoint Entro’s GCP integration, use the script below to verify that the onboarding user has access to relevant projects and that logs are enabled.

A report file will be generated to report.txt, especially useful if the onboarding user has access to many projects.

Note

Run this script with gcloud configured for the onboarding user. The script writes detailed output to report.txt.

gcp_pre_onboarding_check.sh

#!/bin/bash

# Output file for the report
REPORT_FILE="report.txt"
echo "Starting role and log check..." | tee -a "$REPORT_FILE"
echo "Output is saved to $REPORT_FILE"

# Check for broad roles and logs across all projects in the organization
echo "Checking roles and log settings across all projects..." | tee -a "$REPORT_FILE"

# Get the organization ID
ORG_ID=$(gcloud organizations list --format='value(name)')
if [ -z "$ORG_ID" ]; then
    echo "Error: Unable to fetch organization ID. Ensure you have access to an organization." | tee -a "$REPORT_FILE"
    exit 1
fi

# Get the current user's email
CURRENT_USER=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
if [ -z "$CURRENT_USER" ]; then
    echo "Error: Unable to determine the active user." | tee -a "$REPORT_FILE"
    exit 1
fi
echo "Organization ID: $ORG_ID" | tee -a "$REPORT_FILE"
echo "Active user: $CURRENT_USER" | tee -a "$REPORT_FILE"

# List all projects under the organization
PROJECTS=$(gcloud projects list --filter="parent.id=$ORG_ID AND parent.type=organization" --format="value(projectId)")
if [ -z "$PROJECTS" ]; then
    echo "Error: No projects found under the organization." | tee -a "$REPORT_FILE"
    exit 1
fi
echo -e "\nFound projects:" | tee -a "$REPORT_FILE"
echo "$PROJECTS" | tee -a "$REPORT_FILE"

# Function to check if the user has a specific role in a project
check_role_in_project() {
    local PROJECT_ID=$1
    local ROLE=$2
    echo -n "    Checking for role: $ROLE... "| tee -a "$REPORT_FILE"
    IAM_POLICY=$(gcloud projects get-iam-policy $PROJECT_ID --format="json")
    if echo "$IAM_POLICY" | grep -q "$ROLE" && echo "$IAM_POLICY" | grep -q "$CURRENT_USER"; then
        echo "✅ Assigned" | tee -a "$REPORT_FILE"
    else
        echo "❌ Not assigned" | tee -a "$REPORT_FILE"
    fi
}

# Function to check if logs are enabled for a project
check_logs_enabled() {
    local PROJECT_ID=$1
    LOGGING_STATUS=$(gcloud services list --enabled --filter="config.name=logging.googleapis.com" --project=$PROJECT_ID --format="value(config.name)")
    if [ "$LOGGING_STATUS" == "logging.googleapis.com" ]; then
        echo "    ✅ Logs are enabled" | tee -a "$REPORT_FILE"
    else
        echo "    ❌ Logs are NOT enabled" | tee -a "$REPORT_FILE"
    fi
}

# Check roles and logs for all projects
for PROJECT_ID in $PROJECTS; do
    echo -e "\nChecking project: $PROJECT_ID" | tee -a "$REPORT_FILE"
    echo "  Checking roles:" | tee -a "$REPORT_FILE"
    for ROLE in "roles/owner" "roles/editor" "roles/viewer"; do
        check_role_in_project $PROJECT_ID $ROLE
    done

    echo "  Checking log settings:" | tee -a "$REPORT_FILE"
    check_logs_enabled $PROJECT_ID
done

echo -e "\nRole and log check completed." | tee -a "$REPORT_FILE"
echo "Report saved to $REPORT_FILE"