How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI?

Question

I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?

For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?

Answer 1

You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.

If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:

1. Using the gcloud CLI you can create a custom role with gcloud iam roles create, i.e:

   gcloud iam roles create bucketViewer \
       --project example-project-id-1 \
       --title "Bucket viewer" \
       --description "This role has only the storage.buckets.get permission" \
       --permissions storage.buckets.get
   

   This will create a custom role with the ID bucketViewer, for the project ID example-project-id-1, containing only the permission storage.buckets.get. Replace these values as desired and accordingly.

2. Once done, you can assign this custom role also with a single gcloud command by using gcloud projects add-iam-policy-binding:

   gcloud projects add-iam-policy-binding example-project-id-1 \
         --member='serviceAccount:[email protected]' \
         --role='projects/example-project-id-1/roles/bucketViewer'
   

   Replace example-project-id-1 with your project ID, and [email protected] with the actual name of the service account you want to assign the role to.

Answer 2

You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.

Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.

But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).

Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.