Following gcloud documentation
add an IAM policy binding to an IAM service account
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:
gcloud iam service-accounts add-iam-policy-binding \
[email protected] \
--member='serviceAccount:[email protected]' \
--role='roles/editor'
add IAM policy binding for a project
https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:
gcloud projects add-iam-policy-binding \
<PROJECT_ID> \
--member='serviceAccount:[email protected]' \
--role='roles/editor'
add IAM policy binding for an organization
https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:
gcloud organizations add-iam-policy-binding \
[email protected] \
--member='serviceAccount:[email protected]' \
--role='roles/editor'
Does anyone knows if those 3 commands are actually the same ?
Thanks in advance for your help.
Jonathan.
The addition of grep "name:" to the command reduces the amount of data returned to just the names of the roles. Inspect one of these roles to see the permissions assigned to the role. To view the permissions use gcloud iam roles describe. Try looking at the simple role roles/compute.instanceAdmin. Examine the compute.instanceAdmin predefined role.
To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run: gcloud iam service-accounts add-iam-policy-binding [email protected] --member='serviceAccount:[email protected]' \
You now have the role created and need to bind the user and the role to the project. You will use gcloud projects add-iam-policy-binding to perform the binding. To make this command easier to execute, set a couple of environment variables first; the project id and the user account.
Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources. In Cloud IAM, you grant access to members. Members can be of the following types: Read more about these identity types here. In this lab we will use Google accounts, service accounts, and Cloud Identity domain groups.
You have to read the command like this
gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>
The confusion comes from the duality of the service account (no quantum stuff, I promise!). Service account can be an identity and a resource.
You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.
In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resources of the project, the service account itself if it belong to this project) and organisation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With