iam.py: add support for groups

[schweikert]

Currently iam.py can't resolve IAM groups so for example if a service account is given certain permissions via a group, that won't be detected properly.

[kaushik853]

Hi David, Is the steps to solve this will be like

1. list the groups in the project
2. determine the permission associated with the group email id
3. determine the members of the group
4. if they have admin/editor role/permissions
   Are my steps are correct or can you suggest any thing else

[ebenezergraham]

@kaushik853 I believe you the best way will be getting the groups from Cloud Identity not the project. Project groups are for cloud monitoring.

An alternative is using Asset inventory Search feature but haven't explored this much.

[kaushik853]

@ebenezergraham i was checking in project iam and i could see the group vs role mapping. to see memship i do need to go to cloud identity, that was my thought, let me know if something else. I will also try to explore asset inv.

[ebenezergraham]

Sounds good, Feel free to implement,test and submit your code for review.