> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/identity-and-access-management.md).

# identity and access management

SureCloud connects to GCP Identity and Access Management to enumerate all IAM policy bindings at the organisation, folder, and project level. SureCloud identifies members with Owner or Editor primitive roles, detects service accounts with external keys that have not been rotated, and surfaces policy bindings that grant access to `allUsers` or `allAuthenticatedUsers`. This provides continuous visibility into who can access what across your GCP estate, and flags the highest-risk identity configurations for review.

## Endpoints

| API Call                                          | Use Case                                                                  |
| ------------------------------------------------- | ------------------------------------------------------------------------- |
| `cloudresourcemanager.projects.getIamPolicy`      | Read project-level IAM bindings for every project in the organisation     |
| `cloudresourcemanager.organizations.getIamPolicy` | Read organisation-level IAM bindings                                      |
| `iam.projects.serviceAccounts.list`               | Enumerate service accounts per project                                    |
| `iam.projects.serviceAccounts.keys.list`          | List service account keys and their creation dates; detect unrotated keys |
| `cloudasset.assets.searchAllIamPolicies`          | Search and aggregate IAM policy bindings across the entire organisation   |
| `iam.organizations.roles.list`                    | Enumerate custom IAM roles defined at the organisation level              |
| `iam.projects.roles.list`                         | Enumerate custom IAM roles defined at the project level                   |

## Pagination

GCP API list responses include a `nextPageToken` field when further results exist. SureCloud passes the token as the `pageToken` query parameter in successive requests until the response contains no `nextPageToken`.

```json
{
  "serviceAccounts": [
    { "name": "projects/my-project/serviceAccounts/surecloud-ccm@my-project.iam.gserviceaccount.com", ... }
  ],
  "nextPageToken": "Cg8KDWFub3RoZXItYWNjb3VudA=="
}
```

## Required permissions

| Role                                       | Grants                                                                            |
| ------------------------------------------ | --------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer`               | Read IAM policies, service accounts, and service account keys across all projects |
| `roles/resourcemanager.organizationViewer` | Read organisation-level IAM policies and list projects                            |
| `roles/cloudasset.viewer`                  | Run Cloud Asset Inventory searches for IAM policy aggregation                     |

Roles must be assigned at the **organisation** scope. Project-level roles will limit SureCloud to that project only.

## Troubleshooting

<details>

<summary>Service account keys show no rotation date or appear as "user-managed" keys only</summary>

SureCloud distinguishes between Google-managed keys (rotated automatically) and user-managed keys (JSON keys created via the console or API). Only user-managed keys appear with creation dates in the `keys.list` response. Google-managed keys are excluded.

If a service account appears with no user-managed keys in SureCloud, it is using only Google-managed keys — this is the recommended and more secure configuration.

</details>

<details>

<summary>IAM bindings for some projects are not appearing</summary>

The `cloudasset.assets.searchAllIamPolicies` call requires the `roles/cloudasset.viewer` role. If this role was not added during setup, per-project IAM binding collection will fall back to individual `getIamPolicy` calls, and projects where the service account has no project-level access will be skipped.

Add `roles/cloudasset.viewer` to the service account at the organisation scope to enable full coverage.

</details>

<details>

<summary>Custom IAM roles are not visible in SureCloud</summary>

Custom roles are enumerated at both the project and organisation scope. If custom roles are missing, confirm the SureCloud service account has `roles/iam.securityReviewer` at the organisation level. This role grants `iam.roles.get` and `iam.roles.list` at all scopes.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/identity-and-access-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.