Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

gcloud confusion around add-iam-policy-binding

Following gcloud documentation


gcloud iam service-accounts

add an IAM policy binding to an IAM service account

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud iam service-accounts add-iam-policy-binding \
 [email protected] \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

gcloud projects add-iam-policy-binding

add IAM policy binding for a project

https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud projects add-iam-policy-binding \
 <PROJECT_ID> \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

 gcloud organizations add-iam-policy-binding

add IAM policy binding for an organization

https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud organizations add-iam-policy-binding \
 [email protected] \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

Does anyone knows if those 3 commands are actually the same ?

Thanks in advance for your help.

Jonathan.

like image 462
Jonathan Chevalier Avatar asked May 18 '20 17:05

Jonathan Chevalier


People also ask

How to view the permissions assigned to a GCloud IAM role?

The addition of grep "name:" to the command reduces the amount of data returned to just the names of the roles. Inspect one of these roles to see the permissions assigned to the role. To view the permissions use gcloud iam roles describe. Try looking at the simple role roles/compute.instanceAdmin. Examine the compute.instanceAdmin predefined role.

How to add an IAM policy binding to the service account?

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run: gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' \

How do I bind a user to a GCloud project?

You now have the role created and need to bind the user and the role to the project. You will use gcloud projects add-iam-policy-binding to perform the binding. To make this command easier to execute, set a couple of environment variables first; the project id and the user account.

What is cloud IAM and how does it work?

Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources. In Cloud IAM, you grant access to members. Members can be of the following types: Read more about these identity types here. In this lab we will use Google accounts, service accounts, and Cloud Identity domain groups.


1 Answers

You have to read the command like this

gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

The confusion comes from the duality of the service account (no quantum stuff, I promise!). Service account can be an identity and a resource.

You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.

In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resources of the project, the service account itself if it belong to this project) and organisation.

like image 101
guillaume blaquiere Avatar answered Oct 17 '22 03:10

guillaume blaquiere