Google Cloud IAM (Organization Level)

Description

The Google Cloud IAM connector scans IAM policy bindings at the organization and folder level within a Google Cloud organization. It complements the project-level GCP connector by discovering who has permissions across the entire organization hierarchy — identifying members (users, service accounts, groups) with elevated organization-wide or folder-wide IAM roles.

Authentication uses the same OAuth 2.0 JWT service-account flow as the GCP connector.

System Type Classification

Field	Value
System Type	Infrastructure
Default Scan Priority	500

Version Support

OrbisID Edition	Supported
Community	No
Pro	Yes
Enterprise	Yes

Supported Protocol

Protocol	Port	Notes
Google Cloud Resource Manager REST API (HTTPS + OAuth 2.0 JWT)	443 TCP	Service account bearer flow

What OrbisID Discovers

Data	Source
Organization IAM policy members and role bindings	`POST /v3/organizations/{orgId}:getIamPolicy`
Top-level folders	`GET /v3/folders?parent=organizations/{orgId}`
Folder IAM policy bindings	`POST /v3/folders/{folderId}:getIamPolicy`
IAM members by type	`user:`, `serviceAccount:`, `group:` prefixes extracted from bindings

Privileged Roles Detected

roles/owner, roles/editor, roles/iam.securityAdmin, roles/iam.roleAdmin, roles/resourcemanager.organizationAdmin, roles/resourcemanager.folderAdmin, roles/resourcemanager.projectIamAdmin, roles/iam.serviceAccountAdmin, roles/billing.admin

Difference from the GCP Connector

Feature	GCP Connector	Google Cloud IAM Connector
Scope	Single project	Entire organization + folders
Primary discovery	Service accounts, project IAM policy	Members across org and folder IAM policies
Attribute	`gcpProjectId`	`googleCloudOrgId`
Use case	Project-level privilege discovery	Org-wide privilege discovery

Connection Requirements

GCP Service Account

Create a dedicated GCP service account and grant it organization-level IAM read access.

Required IAM permissions at the organization level:

Permission	Purpose
`resourcemanager.organizations.getIamPolicy`	Read the organization IAM policy
`resourcemanager.folders.list`	Enumerate top-level folders
`resourcemanager.folders.getIamPolicy`	Read IAM policies on folders

Recommended role: roles/iam.securityReviewer at the organization level.

Steps:

In the GCP Console, navigate to IAM & Admin → Service Accounts
Create a service account (e.g., orbisid-org-scanner@project.iam.gserviceaccount.com)
At the Organization level in IAM, grant this service account the Security Reviewer role
Under the service account, click Keys → Add Key → JSON and download the key file
Extract private_key and private_key_id from the JSON file

Credential Mapping

OrbisID Field	GCP Value
`credential.username`	Service account email
`credential.password`	Service account private key (PEM)
`credential.domain`	Private key ID (optional)

System Attributes

Attribute	Required	Description
`googleCloudOrgId`	Yes	Google Cloud organization ID (numeric, found in IAM & Admin → Settings)

Network Requirements

The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to oauth2.googleapis.com and cloudresourcemanager.googleapis.com on port 443.

Configuration Steps

Create the GCP service account and grant Security Reviewer at the organization level
Download the JSON key and extract private_key and private_key_id
Create a Credential in OrbisID:
- Username: Service account email
- Password: Private key PEM (full -----BEGIN RSA PRIVATE KEY----- block)
- Domain: Private key ID (optional)
Navigate to Systems → Add System
Fill in the fields:

Field	Value
Name	Descriptive name (e.g., `Google Cloud IAM – my-org`)
Hostname	`cloudresourcemanager.googleapis.com` (for reference)
OS Type	`Google Cloud IAM`
System Type	`Infrastructure`
Credential	The service account credential

Add the googleCloudOrgId system attribute with the numeric organization ID
Click Test Connection to verify the service account can obtain a token
Click Save

Troubleshooting

Symptom	Likely Cause	Resolution
Scan fails: "googleCloudOrgId is required"	Attribute not set	Add `googleCloudOrgId` in system attributes
`403 PERMISSION_DENIED` on org policy	Missing `resourcemanager.organizations.getIamPolicy`	Grant `Security Reviewer` at the organization level in GCP IAM
`403 PERMISSION_DENIED` on folder list	Missing `resourcemanager.folders.list`	Included in `Security Reviewer` — verify the role is granted at org level
Token error / `invalid_grant`	Private key revoked or malformed	Re-download the JSON key file; ensure the PEM is complete
No members returned	Org has no IAM bindings at org/folder level	Verify `googleCloudOrgId` is correct; check the IAM policy in GCP Console

Description​

System Type Classification​

Version Support​

Supported Protocol​

What OrbisID Discovers​

Privileged Roles Detected​

Difference from the GCP Connector​

Connection Requirements​

GCP Service Account​

Credential Mapping​

System Attributes​

Network Requirements​

Configuration Steps​

Troubleshooting​