cartography 0.99.0rc1__py3-none-any.whl → 0.100.0rc2__py3-none-any.whl

cartography/_version.py

@@ -1,8 +1,13 @@
-# file generated by setuptools_scm
+# file generated by setuptools-scm
 # don't change, don't track in version control
+
+__all__ = ["__version__", "__version_tuple__", "version", "version_tuple"]
+
 TYPE_CHECKING = False
 if TYPE_CHECKING:
-    from typing import Tuple, Union
+    from typing import Tuple
+    from typing import Union
+
     VERSION_TUPLE = Tuple[Union[int, str], ...]
 else:
     VERSION_TUPLE = object
@@ -12,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.99.0rc1'
-__version_tuple__ = version_tuple = (0, 99, 0)
+__version__ = version = '0.100.0rc2'
+__version_tuple__ = version_tuple = (0, 100, 0)

cartography/cli.py

@@ -439,9 +439,10 @@ class CLI:
             '--gsuite-auth-method',
             type=str,
             default='delegated',
-            choices=['delegated', 'oauth'],
+            choices=['delegated', 'oauth', 'default'],
             help=(
-                'The method used by GSuite to authenticate. delegated is the legacy one.'
+                'GSuite authentication method. Can be "delegated" for service account or "oauth" for OAuth. '
+                '"Default" best if using gcloud CLI.'
             ),
         )
         parser.add_argument(

cartography/intel/aws/apigateway.py

@@ -12,8 +12,13 @@ import neo4j
 from botocore.exceptions import ClientError
 from policyuniverse.policy import Policy
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.apigateway import APIGatewayRestAPISchema
+from cartography.models.aws.apigatewaycertificate import APIGatewayClientCertificateSchema
+from cartography.models.aws.apigatewayresource import APIGatewayResourceSchema
+from cartography.models.aws.apigatewaystage import APIGatewayStageSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -107,222 +112,146 @@ def get_rest_api_policy(api: Dict, client: botocore.client.BaseClient) -> Any:
     return policy
 
 
-@timeit
-def load_apigateway_rest_apis(
-    neo4j_session: neo4j.Session, rest_apis: List[Dict], region: str, current_aws_account_id: str,
-    aws_update_tag: int,
-) -> None:
-    """
-    Ingest the details of API Gateway REST APIs into neo4j.
+def transform_apigateway_rest_apis(
+    rest_apis: List[Dict], resource_policies: List[Dict], region: str, current_aws_account_id: str, aws_update_tag: int,
+) -> List[Dict]:
     """
-    ingest_rest_apis = """
-    UNWIND $rest_apis_list AS r
-    MERGE (rest_api:APIGatewayRestAPI{id:r.id})
-    ON CREATE SET rest_api.firstseen = timestamp(),
-    rest_api.createddate = r.createdDate
-    SET rest_api.version = r.version,
-    rest_api.minimumcompressionsize = r.minimumCompressionSize,
-    rest_api.disableexecuteapiendpoint = r.disableExecuteApiEndpoint,
-    rest_api.lastupdated = $aws_update_tag,
-    rest_api.region = $Region
-    WITH rest_api
-    MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-    MERGE (aa)-[r:RESOURCE]->(rest_api)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
+    Transform API Gateway REST API data for ingestion, including policy analysis
     """
+    # Create a mapping of api_id to policy data for easier lookup
+    policy_map = {
+        policy['api_id']: policy
+        for policy in resource_policies
+    }
 
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    transformed_apis = []
     for api in rest_apis:
-        api['createdDate'] = str(api['createdDate']) if 'createdDate' in api else None
-
-    neo4j_session.run(
-        ingest_rest_apis,
-        rest_apis_list=rest_apis,
-        aws_update_tag=aws_update_tag,
-        Region=region,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-    )
+        policy_data = policy_map.get(api['id'], {})
+        transformed_api = {
+            'id': api['id'],
+            'createdDate': str(api['createdDate']) if 'createdDate' in api else None,
+            'version': api.get('version'),
+            'minimumCompressionSize': api.get('minimumCompressionSize'),
+            'disableExecuteApiEndpoint': api.get('disableExecuteApiEndpoint'),
+            # Set defaults in the transform function
+            'anonymous_access': policy_data.get('internet_accessible', False),
+            'anonymous_actions': policy_data.get('accessible_actions', []),
+            # TODO Issue #1452: clarify internet exposure vs anonymous access
+        }
+        transformed_apis.append(transformed_api)
+
+    return transformed_apis
 
 
 @timeit
-def _load_apigateway_policies(
-        neo4j_session: neo4j.Session, policies: List, update_tag: int,
+def load_apigateway_rest_apis(
+    neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> None:
     """
-    Ingest API Gateway REST API policy results into neo4j.
-    """
-    ingest_policies = """
-    UNWIND $policies as policy
-    MATCH (r:APIGatewayRestAPI) where r.name = policy.api_id
-    SET r.anonymous_access = (coalesce(r.anonymous_access, false) OR policy.internet_accessible),
-    r.anonymous_actions = coalesce(r.anonymous_actions, []) + policy.accessible_actions,
-    r.lastupdated = $UpdateTag
+    Ingest API Gateway REST API data into neo4j.
     """
-
-    neo4j_session.run(
-        ingest_policies,
-        policies=policies,
-        UpdateTag=update_tag,
-    )
-
-
-def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> None:
-    set_defaults = """
-    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(restApi:APIGatewayRestAPI)
-    where restApi.anonymous_actions IS NULL
-    SET restApi.anonymous_access = false, restApi.anonymous_actions = []
-    """
-
-    neo4j_session.run(
-        set_defaults,
-        AWS_ID=aws_account_id,
+    load(
+        neo4j_session,
+        APIGatewayRestAPISchema(),
+        data,
+        region=region,
+        lastupdated=aws_update_tag,
+        AWS_ID=current_aws_account_id,
     )
 
 
-@timeit
-def _load_apigateway_stages(
-        neo4j_session: neo4j.Session, stages: List, update_tag: int,
-) -> None:
+def transform_apigateway_stages(stages: List[Dict], update_tag: int) -> List[Dict]:
     """
-    Ingest the Stage resource details into neo4j.
+    Transform API Gateway Stage data for ingestion
     """
-    ingest_stages = """
-    UNWIND $stages_list AS stage
-    MERGE (s:APIGatewayStage{id: stage.arn})
-    ON CREATE SET s.firstseen = timestamp(), s.stagename = stage.stageName,
-    s.createddate = stage.createdDate
-    SET s.deploymentid = stage.deploymentId,
-    s.clientcertificateid = stage.clientCertificateId,
-    s.cacheclusterenabled = stage.cacheClusterEnabled,
-    s.cacheclusterstatus = stage.cacheClusterStatus,
-    s.tracingenabled = stage.tracingEnabled,
-    s.webaclarn = stage.webAclArn,
-    s.lastupdated = $UpdateTag
-    WITH s, stage
-    MATCH (rest_api:APIGatewayRestAPI{id: stage.apiId})
-    MERGE (rest_api)-[r:ASSOCIATED_WITH]->(s)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
-    """
-
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    stage_data = []
     for stage in stages:
         stage['createdDate'] = str(stage['createdDate'])
-        stage['arn'] = "arn:aws:apigateway:::" + stage['apiId'] + "/" + stage['stageName']
-
-    neo4j_session.run(
-        ingest_stages,
-        stages_list=stages,
-        UpdateTag=update_tag,
-    )
+        stage['arn'] = f"arn:aws:apigateway:::{stage['apiId']}/{stage['stageName']}"
+        stage_data.append(stage)
+    return stage_data
 
 
-@timeit
-def _load_apigateway_certificates(
-        neo4j_session: neo4j.Session, certificates: List, update_tag: int,
-) -> None:
-    """
-    Ingest the API Gateway Client Certificate details into neo4j.
+def transform_apigateway_certificates(certificates: List[Dict], update_tag: int) -> List[Dict]:
     """
-    ingest_certificates = """
-    UNWIND $certificates_list as certificate
-    MERGE (c:APIGatewayClientCertificate{id: certificate.clientCertificateId})
-    ON CREATE SET c.firstseen = timestamp(), c.createddate = certificate.createdDate
-    SET c.lastupdated = $UpdateTag, c.expirationdate = certificate.expirationDate
-    WITH c, certificate
-    MATCH (stage:APIGatewayStage{id: certificate.stageArn})
-    MERGE (stage)-[r:HAS_CERTIFICATE]->(c)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
+    Transform API Gateway Client Certificate data for ingestion
     """
-
-    # neo4j does not accept datetime objects and values. This loop is used to convert
-    # these values to string.
+    cert_data = []
     for certificate in certificates:
         certificate['createdDate'] = str(certificate['createdDate'])
         certificate['expirationDate'] = str(certificate.get('expirationDate'))
-        certificate['stageArn'] = "arn:aws:apigateway:::" + certificate['apiId'] + "/" + certificate['stageName']
-
-    neo4j_session.run(
-        ingest_certificates,
-        certificates_list=certificates,
-        UpdateTag=update_tag,
-    )
-
-
-@timeit
-def _load_apigateway_resources(
-        neo4j_session: neo4j.Session, resources: List, update_tag: int,
-) -> None:
-    """
-    Ingest the API Gateway Resource details into neo4j.
-    """
-    ingest_resources = """
-    UNWIND $resources_list AS res
-    MERGE (s:APIGatewayResource{id: res.id})
-    ON CREATE SET s.firstseen = timestamp()
-    SET s.path = res.path,
-    s.pathpart = res.pathPart,
-    s.parentid = res.parentId,
-    s.lastupdated =$UpdateTag
-    WITH s, res
-    MATCH (rest_api:APIGatewayRestAPI{id: res.apiId})
-    MERGE (rest_api)-[r:RESOURCE]->(s)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
-    """
-
-    neo4j_session.run(
-        ingest_resources,
-        resources_list=resources,
-        UpdateTag=update_tag,
-    )
+        certificate['stageArn'] = f"arn:aws:apigateway:::{certificate['apiId']}/{certificate['stageName']}"
+        cert_data.append(certificate)
+    return cert_data
 
 
-@timeit
-def load_rest_api_details(
-        neo4j_session: neo4j.Session, stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
-        aws_account_id: str, update_tag: int,
-) -> None:
+def transform_rest_api_details(
+    stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
+) -> Tuple[List[Dict], List[Dict], List[Dict]]:
     """
-    Create dictionaries for Stages, Client certificates, policies and Resource resources
-    so we can import them in a single query
+    Transform Stage, Client Certificate, and Resource data for ingestion
     """
     stages: List[Dict] = []
     certificates: List[Dict] = []
     resources: List[Dict] = []
-    policies: List = []
-    for api_id, stage, certificate, resource, policy in stages_certificate_resources:
-        parsed_policy = parse_policy(api_id, policy)
-        if parsed_policy is not None:
-            policies.append(parsed_policy)
+
+    for api_id, stage, certificate, resource, _ in stages_certificate_resources:
         if len(stage) > 0:
             for s in stage:
                 s['apiId'] = api_id
+                s['createdDate'] = str(s['createdDate'])
+                s['arn'] = f"arn:aws:apigateway:::{api_id}/{s['stageName']}"
             stages.extend(stage)
+
+        if certificate:
+            certificate['apiId'] = api_id
+            certificate['createdDate'] = str(certificate['createdDate'])
+            certificate['expirationDate'] = str(certificate.get('expirationDate'))
+            certificate['stageArn'] = f"arn:aws:apigateway:::{api_id}/{certificate['stageName']}"
+            certificates.append(certificate)
+
         if len(resource) > 0:
             for r in resource:
                 r['apiId'] = api_id
             resources.extend(resource)
-        if certificate:
-            certificate['apiId'] = api_id
-            certificates.append(certificate)
 
-    # cleanup existing properties
-    run_cleanup_job(
-        'aws_apigateway_details.json',
+    return stages, certificates, resources
+
+
+@timeit
+def load_rest_api_details(
+    neo4j_session: neo4j.Session, stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
+    aws_account_id: str, update_tag: int,
+) -> None:
+    """
+    Transform and load Stage, Client Certificate, and Resource data
+    """
+    stages, certificates, resources = transform_rest_api_details(stages_certificate_resources)
+
+    load(
         neo4j_session,
-        {'UPDATE_TAG': update_tag, 'AWS_ID': aws_account_id},
+        APIGatewayStageSchema(),
+        stages,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
     )
 
-    _load_apigateway_policies(neo4j_session, policies, update_tag)
-    _load_apigateway_stages(neo4j_session, stages, update_tag)
-    _load_apigateway_certificates(neo4j_session, certificates, update_tag)
-    _load_apigateway_resources(neo4j_session, resources, update_tag)
-    _set_default_values(neo4j_session, aws_account_id)
+    load(
+        neo4j_session,
+        APIGatewayClientCertificateSchema(),
+        certificates,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
+    )
+
+    load(
+        neo4j_session,
+        APIGatewayResourceSchema(),
+        resources,
+        lastupdated=update_tag,
+        AWS_ID=aws_account_id,
+    )
 
 
 @timeit
@@ -353,7 +282,27 @@ def parse_policy(api_id: str, policy: Policy) -> Optional[Dict[Any, Any]]:
 
 @timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_import_apigateway_cleanup.json', neo4j_session, common_job_parameters)
+    """
+    Delete out-of-date API Gateway resources and relationships.
+    Order matters - clean up certificates, stages, and resources before cleaning up the REST APIs they connect to.
+    """
+    logger.info("Running API Gateway cleanup job.")
+
+    # Clean up certificates first
+    cleanup_job = GraphJob.from_node_schema(APIGatewayClientCertificateSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Then stages
+    cleanup_job = GraphJob.from_node_schema(APIGatewayStageSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Then resources
+    cleanup_job = GraphJob.from_node_schema(APIGatewayResourceSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    # Finally REST APIs
+    cleanup_job = GraphJob.from_node_schema(APIGatewayRestAPISchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
 
 
 @timeit
@@ -362,9 +311,23 @@ def sync_apigateway_rest_apis(
     aws_update_tag: int,
 ) -> None:
     rest_apis = get_apigateway_rest_apis(boto3_session, region)
-    load_apigateway_rest_apis(neo4j_session, rest_apis, region, current_aws_account_id, aws_update_tag)
-
     stages_certificate_resources = get_rest_api_details(boto3_session, rest_apis, region)
+
+    # Extract policies and transform the data
+    policies = []
+    for api_id, _, _, _, policy in stages_certificate_resources:
+        parsed_policy = parse_policy(api_id, policy)
+        if parsed_policy is not None:
+            policies.append(parsed_policy)
+
+    transformed_apis = transform_apigateway_rest_apis(
+        rest_apis,
+        policies,
+        region,
+        current_aws_account_id,
+        aws_update_tag,
+    )
+    load_apigateway_rest_apis(neo4j_session, transformed_apis, region, current_aws_account_id, aws_update_tag)
     load_rest_api_details(neo4j_session, stages_certificate_resources, current_aws_account_id, aws_update_tag)
 
 

cartography/intel/aws/ec2/images.py

@@ -8,8 +8,8 @@ import neo4j
 from botocore.exceptions import ClientError
 
 from cartography.client.core.tx import load
+from cartography.client.core.tx import read_list_of_values_tx
 from cartography.graph.job import GraphJob
-from cartography.intel.aws.ec2 import get_ec2_regions
 from cartography.intel.aws.ec2.util import get_botocore_config
 from cartography.models.aws.ec2.images import EC2ImageSchema
 from cartography.util import aws_handle_regions
@@ -21,22 +21,26 @@ logger = logging.getLogger(__name__)
 @timeit
 def get_images_in_use(neo4j_session: neo4j.Session, region: str, current_aws_account_id: str) -> List[str]:
     get_images_query = """
+    CALL {
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(i:EC2Instance)
-    WHERE i.region = $Region
-    RETURN DISTINCT(i.imageid) as image
-    UNION
+    WHERE i.region = $Region AND i.imageid IS NOT NULL
+    RETURN i.imageid AS image
+    UNION ALL
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(lc:LaunchConfiguration)
-    WHERE lc.region = $Region
-    RETURN DISTINCT(lc.image_id) as image
-    UNION
+    WHERE lc.region = $Region AND lc.image_id IS NOT NULL
+    RETURN lc.image_id AS image
+    UNION ALL
     MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(ltv:LaunchTemplateVersion)
-    WHERE ltv.region = $Region
-    RETURN DISTINCT(ltv.image_id) as image
+    WHERE ltv.region = $Region AND ltv.image_id IS NOT NULL
+    RETURN ltv.image_id AS image
+    }
+    RETURN DISTINCT image;
     """
-    results = neo4j_session.run(get_images_query, AWS_ACCOUNT_ID=current_aws_account_id, Region=region)
-    images = []
-    for r in results:
-        images.append(r['image'])
+    result = read_list_of_values_tx(
+        neo4j_session, get_images_query,
+        AWS_ACCOUNT_ID=current_aws_account_id, Region=region,
+    )
+    images = [str(image) for image in result]
     return images
 
 
@@ -45,39 +49,23 @@ def get_images_in_use(neo4j_session: neo4j.Session, region: str, current_aws_acc
 def get_images(boto3_session: boto3.session.Session, region: str, image_ids: List[str]) -> List[Dict]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     images = []
+    self_images = []
     try:
         self_images = client.describe_images(Owners=['self'])['Images']
-        images.extend(self_images)
-    except ClientError as e:
-        logger.warning(f"Failed to retrieve private images for region - {region}. Error - {e}")
-    try:
-        if image_ids:
-            image_ids = [image_id for image_id in image_ids if image_id is not None]
-            images_in_use = client.describe_images(ImageIds=image_ids)['Images']
-            # Ensure we're not adding duplicates
-            _ids = [image["ImageId"] for image in images]
-            for image in images_in_use:
-                if image["ImageId"] not in _ids:
-                    images.append(image)
-                    _ids.append(image["ImageId"])
-            # Handle cross region image ids
-            if len(_ids) != len(image_ids):
-                logger.info("Attempting to retrieve images from other regions")
-                pending_ids = [image_id for image_id in image_ids if image_id not in _ids]
-                all_regions = get_ec2_regions(boto3_session)
-                clients = {
-                    other_region: boto3_session.client('ec2', region_name=other_region, config=get_botocore_config())
-                    for other_region in all_regions if other_region != region
-                }
-                for other_region, client in clients.items():
-                    for _id in pending_ids:
-                        try:
-                            pending_image = client.describe_images(ImageIds=[_id])['Images']
-                            images.extend(pending_image)
-                        except ClientError as e:
-                            logger.warning(f"Image {id} could not be found at region - {other_region}. Error - {e}")
     except ClientError as e:
-        logger.warning(f"Failed to retrieve public images for region - {region}. Error - {e}")
+        logger.warning(f"Failed retrieve self owned images for region - {region}. Error - {e}")
+    images.extend(self_images)
+    if image_ids:
+        self_image_ids = {image['ImageId'] for image in images}
+        # Go one by one to avoid losing all images if one fails
+        for image in image_ids:
+            if image in self_image_ids:
+                continue
+            try:
+                public_images = client.describe_images(ImageIds=[image])['Images']
+                images.extend(public_images)
+            except ClientError as e:
+                logger.warning(f"Failed retrieve image id {image} for region - {region}. Error - {e}")
     return images
 
 

cartography/intel/aws/ecr.py

@@ -36,7 +36,10 @@ def get_ecr_repository_images(boto3_session: boto3.session.Session, region: str,
     paginator = client.get_paginator('list_images')
     ecr_repository_images: List[Dict] = []
     for page in paginator.paginate(repositoryName=repository_name):
-        ecr_repository_images.extend(page['imageIds'])
+        image_ids = page['imageIds']
+        if image_ids:
+            response = client.describe_images(repositoryName=repository_name, imageIds=image_ids)
+            ecr_repository_images.extend(response['imageDetails'])
     return ecr_repository_images
 
 
@@ -103,7 +106,12 @@ def _load_ecr_repo_img_tx(
         ON CREATE SET ri.firstseen = timestamp()
         SET ri.lastupdated = $aws_update_tag,
             ri.tag = repo_img.imageTag,
-            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, '')
+            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, ''),
+            ri.image_size_bytes = repo_img.imageSizeInBytes,
+            ri.image_pushed_at = repo_img.imagePushedAt,
+            ri.image_manifest_media_type = repo_img.imageManifestMediaType,
+            ri.artifact_media_type = repo_img.artifactMediaType,
+            ri.last_recorded_pull_time = repo_img.lastRecordedPullTime
         WITH ri, repo_img
 
         MERGE (img:ECRImage{id: repo_img.imageDigest})

cartography/intel/gcp/__init__.py

@@ -17,21 +17,23 @@ from cartography.intel.gcp import compute
 from cartography.intel.gcp import crm
 from cartography.intel.gcp import dns
 from cartography.intel.gcp import gke
+from cartography.intel.gcp import iam
 from cartography.intel.gcp import storage
 from cartography.util import run_analysis_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
-Resources = namedtuple('Resources', 'compute container crm_v1 crm_v2 dns storage serviceusage')
+Resources = namedtuple('Resources', 'compute container crm_v1 crm_v2 dns storage serviceusage iam')
 
 # Mapping of service short names to their full names as in docs. See https://developers.google.com/apis-explorer,
 # and https://cloud.google.com/service-usage/docs/reference/rest/v1/services#ServiceConfig
-Services = namedtuple('Services', 'compute storage gke dns')
+Services = namedtuple('Services', 'compute storage gke dns iam')
 service_names = Services(
     compute='compute.googleapis.com',
     storage='storage.googleapis.com',
     gke='container.googleapis.com',
     dns='dns.googleapis.com',
+    iam='iam.googleapis.com',
 )
 
 
@@ -112,6 +114,13 @@ def _get_serviceusage_resource(credentials: GoogleCredentials) -> Resource:
     return googleapiclient.discovery.build('serviceusage', 'v1', credentials=credentials, cache_discovery=False)
 
 
+def _get_iam_resource(credentials: GoogleCredentials) -> Resource:
+    """
+    Instantiates a Google IAM resource object to call the IAM API.
+    """
+    return googleapiclient.discovery.build('iam', 'v1', credentials=credentials, cache_discovery=False)
+
+
 def _initialize_resources(credentials: GoogleCredentials) -> Resource:
     """
     Create namedtuple of all resource objects necessary for GCP data gathering.
@@ -126,6 +135,7 @@ def _initialize_resources(credentials: GoogleCredentials) -> Resource:
         container=None,
         dns=None,
         storage=None,
+        iam=_get_iam_resource(credentials),
     )
 
 
@@ -286,6 +296,18 @@ def _sync_multiple_projects(
         logger.info("Syncing GCP project %s for DNS", project_id)
         _sync_single_project_dns(neo4j_session, resources, project_id, gcp_update_tag, common_job_parameters)
 
+    # IAM data sync
+    for project in projects:
+        project_id = project['projectId']
+        logger.info("Syncing GCP project %s for IAM", project_id)
+        iam.sync(
+            neo4j_session,
+            resources.iam,
+            project_id,
+            gcp_update_tag,
+            common_job_parameters,
+        )
+
 
 @timeit
 def get_gcp_credentials() -> GoogleCredentials: