Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BigQuery CAI Scripts #394

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

BigQuery CAI Scripts #394

wants to merge 6 commits into from

Conversation

timothymanuel
Copy link
Collaborator

The CAI Scripts help analyze the CAI export tables in BigQuery to understand mappings of roles or permissions to resources within GCP.

This first pull request has a couple of scripts to understand the IAM Principals that can access BigQuery tables in the Organization. This script will enable Data Stewards / Platform Owners understand who has access to what table in BigQuery.

@timothymanuel timothymanuel self-assigned this Jan 16, 2024
@timothymanuel timothymanuel requested a review from zhaber January 29, 2024 16:38
zhaber
zhaber reviewed Jan 31, 2024
View reviewed changes
scripts/cloud_asset_inventory/README.md

### [BigQuery Table Readers](./bq_table_all_readers.sql)

This script will help Data Stewards or Platform Owners determine the which are the IAM Principals (groups, user or service accounts) that can read data from a BigQuery table.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo

scripts/cloud_asset_inventory/bq_table_all_editors.sql
* 5. Replace <RESOURCE_TABLE> with the Resource table name from the CAI Export
* 6. Replace <IAM_POLICY_TABLE> with the IAM Policy table name from the CAI Export
*
* The schema of the table - `bigquery_table_all_editors` is given in ./schema/table_all_readers_schema.json
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the json file name does not match

scripts/cloud_asset_inventory/bq_table_all_readers.sql
*/
DECLARE read_date STRING DEFAULT "2023-12-01";

CREATE SCHEMA IF NOT EXISTS cai_analysis;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two scripts are almost identical, does it make sense to make them DRY?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhaber zhaber zhaber left review comments

@ryanmcdowell ryanmcdowell Awaiting requested review from ryanmcdowell

@danieldeleo danieldeleo Awaiting requested review from danieldeleo

At least 1 approving review is required to merge this pull request.

Assignees

@timothymanuel timothymanuel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timothymanuel @zhaber