10.6 C
Tuesday, November 21, 2023

Clear Accounts Over Permissions In GCP Infra At Scale

Clear up of over permissioned IAM accounts on GCP infra in an automated means

CureIAM is an easy-to-use, dependable, and performant engine for Least Privilege Precept Enforcement on GCP cloud infra. It permits DevOps and Safety group to shortly clear up accounts in GCP infra which have granted permissions of greater than what are required. CureIAM fetches the suggestions and insights from GCP IAM recommender, scores them and implement these suggestions routinely on day by day fundamental. It takes care of scheduling and all different facets of operating these enforcement jobs at scale. It’s constructed on high of GCP IAM recommender APIs and Cloudmarker framework.

Key options

Uncover what makes CureIAM scalable and manufacturing grade.

  • Config pushed : The complete workflow of CureIAM is config pushed. Skip to Config part to know extra about it.
  • Scalable : Its is designed to scale due to its plugin pushed, multiprocess and multi-threaded method.
  • Handles Scheduling: Scheduling half is embedded in CureIAM code itself, configure the time, and CureIAM will run day by day at the moment be aware.
  • Plugin pushed: CureIAM codebase is totally plugin oriented, which implies, one can plug and play the present plugins or create new so as to add extra performance to it.
  • Monitor actionable insights: Each motion that CureIAM takes, is recorded for audit objective, It might probably try this in file retailer and in elasticsearch retailer. In order for you you’ll be able to construct different retailer plugins to push that to different shops for monitoring functions.
  • Scoring and Enforcement: Each advice that’s fetch by CureIAM is scored towards varied parameters, after that couple of scores like safe_to_apply_score, risk_score, over_privilege_score. Every rating serves a special objective. For safe_to_apply_score identifies the potential to use advice on automated foundation, primarily based on the edge set in CureIAM.yaml config file.


Since CureIAM is constructed with python, you’ll be able to run it domestically with these instructions. Earlier than operating be certain to have a configuration file prepared in both of /and so on/CureIAM.yaml, ~/.CureIAM.yaml, ~/CureIAM.yaml, or CureIAM.yaml and there’s Service account JSON file current in present listing with identify ideally cureiamSA.json. This SA non-public key could be named something, however for docker picture construct, it’s most well-liked to make use of this identify. Make you to reference this file in config for GCP cloud.

# Set up needed dependencies
$ pip set up -r necessities.txt

# Run CureIAM now
$ python -m CureIAM -n

# Run CureIAM course of as schedular
$ python -m CureIAM

# Test CureIAM assist
$ python -m CureIAM --help

CureIAM could be additionally run inside a docker surroundings, that is utterly non-compulsory and can be utilized for CI/CD with K8s cluster deployment.

# Construct docker picture from dockerfile
$ docker construct -t cureiam .

# Run the picture, as schedular
$ docker run -d cureiam

# Run the picture now
$ docker run -f cureiam -m cureiam -n


CureIAM.yaml configuration file is the center of CureIAM engine. All the pieces that engine does it does it primarily based on the pipeline configured on this config file. Let’s break this down in several sections to make this config look easier.

  1. Let’s configure first part, which is logging configuration and scheduler configuration.
model: 1

disable_existing_loggers: false

format: >-
%(identify)s:%(lineno)d - %(message)s
datefmt: "%Y-%m-%d %H:%M:%S"

class: wealthy.logging.RichHandler
formatter: verysimple

class: logging.handlers.TimedRotatingFileHandler
formatter: easy
filename: /tmp/CureIAM.log
when: midnight
encoding: utf8
backupCount: 5

stage: INFO

stage: INFO
- rich_console
- file

schedule: "16:00"

This subsection of config makes use of, Wealthy logging module and schedules CureIAM to run day by day at 16:00.

  1. Subsequent part is configure totally different modules, which we MIGHT use in pipeline. This falls beneath plugins part in CureIAM.yaml. You possibly can consider this part as declaration for various plugins.
plugin: CureIAM.plugins.gcp.gcpcloud.GCPCloudIAMRecommendations
key_file_path: cureiamSA.json

plugin: CureIAM.plugins.recordsdata.filestore.FileStore

plugin: CureIAM.plugins.gcp.gcpcloudiam.GCPIAMRecommendationProcessor
mode_scan: true
mode_enforce: true
key_file_path: cureiamSA.json
- alpha
- beta
- [email protected]
- consumer
- group
- serviceAccount
- None
min_safe_to_apply_score_user: 0
min_safe_to_apply_scor e_group: 0
min_safe_to_apply_score_SA: 50

plugin: CureIAM.plugins.elastic.esstore.EsStore
# Change http to https later in case your elastic are utilizing https
scheme: http
host: es-host.com
port: 9200
index: cureiam-stg
username: safety
password: securepassword

Every of those plugins declaration needs to be of this kind:

plugin: <class-name-as-python-path>
param1: val1
param2: val2

For instance, for plugins CureIAM.shops.esstore.EsStore which is this file and sophistication EsStore. All of the params that are outlined in yaml has to match the declaration in __init__() operate of the identical plugin class.

  1. As soon as plugins are outlined , subsequent step is to outline the way to outline pipeline for auditing. And it goes like this:
- gcpCloud
- gcpIamProcessor
- filestore
- esstore

A number of Audits could be created out of this. The one created right here is known as IAMAudit with three plugins in use, gcpCloud, gcpIamProcessor, filestores and esstore. Word these are the identical plugin names outlined in Step 2. Once more that is like defining the pipeline, not truly operating it. Will probably be thought-about for operating with definition in subsequent step.

  1. Inform CureIAM to run the Audits outlined in earlier step.

And this makes your complete configuration for CureIAM, you could find the complete pattern right here, this config pushed pipeline idea is inherited from Cloudmarker framework.


The JSON which is listed in elasticsearch utilizing Elasticsearch retailer plugin, can be utilized to generate dashboard in Kibana.


[Please do!] We’re in search of any type of contribution to enhance CureIAM’s core funtionality and documentation. When doubtful, make a PR!


Gojek Product Safety Workforce





  • Breaking down the massive code into a number of small operate
  • Transferring all plugins into plugins folder: Esstore, recordsdata, Cloud and GCP.
  • Including fixes into zero divide points
  • Migration to new main model of elastic
  • Change configuration in CureIAM.yaml file
  • Examined in python model 3.9.X

Library Updates

Including the model in library to keep away from any again compatibility points.

  • Elastic==8.7.0 # beforehand 7.17.9
  • elasticsearch==8.7.0
  • google-api-python-client==2.86.0
  • PyYAML==6.0
  • schedule==1.2.0
  • wealthy==13.3.5

Docker Information

  • Including Docker Compose for native Elastic and Kibana in elastic
  • Including .env-ex change .env-ex to .env to earlier than operating the docker
Operating docker compose: docker-compose -f docker_compose_es.yaml up 


  • Including the potential to run scan with out making use of the advice. By default, if mode_scan is fake, mode_enforce will not be operating.
      mode_scan: true
mode_enforce: false
  • Flip off the e-mail operate briefly.

Latest news
Related news


Please enter your comment!
Please enter your name here