Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I list the roles associated with a gcp service account?

Tags:

google-cloud-platform

gcloud

google-cloud-iam

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.

I then ran this command:

gcloud iam service-accounts get-iam-policy [email protected]

and saw this output:

etag: ACAB

According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".

How do I list the roles associated with a service account?

EDIT: Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:

gcloud projects list | \   awk '{print $1}' | \   xargs -I % sh -c "echo ""; echo project:% && \   gcloud projects get-iam-policy % \   --flatten='bindings[].members' \   --format='table(bindings.role)' \   --filter='bindings.members:[email protected]' \   ;"
like image 976
red888 Avatar asked Oct 29 '17 22:10

red888

People also ask

How do I check permissions on a service account?

To see the Service permissions you can use the "sc" command from a Windows command-line prompt. To compare permissions for a particular Service, run it on two systems. See the outputs and compare each line in a notepad/wordpad session.

How do I change the service account role in GCP?

Under "Service Accounts" click the checkbox next to the service account email address. A panel will open. This is the right-side panel in your screenshot. However, in your case, you are using the service account as an identity , so you need to add the roles to the project under the "IAM" section.

1 Answers

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  \ --flatten="bindings[].members" \ --format="table(bindings.role)" \ --filter="bindings.members:<YOUR SERVICE ACCOUNT>"

Gives the nice output:

ROLE roles/cloudtrace.agent roles/servicemanagement.serviceController roles/viewer

The format parameter can of course be tweaked to suit your specific needs.

like image 92
polve Avatar answered Sep 28 '22 02:09

polve
Sign in to Comment

Related questions

How to install the Google Cloud SDK in a Docker Image?
How do I upload a base64 encoded image (string) directly to a Google Cloud Storage bucket using Node.js?
Google Cloud Platform: how to monitor memory usage of VM instances
Calling a Cloud Function from another Cloud Function
How to SSH to docker container in kubernetes cluster? [closed]
Stripe Error: No signatures found matching the expected signature for payload
Cross project management using service account
How to upload a file to Google Cloud Storage on Python 3?
How do I identify the Google Cloud Storage URI from my Google Developers Console?
Is GCM (now FCM) free for any limit? [closed]
Get root password for Google Cloud Engine VM
Read csv from Google Cloud storage to pandas dataframe
Google server putty connect 'Disconnected: No supported authentication methods available (server sent: publickey)
What is the difference between Google Cloud Dataflow and Google Cloud Dataproc?
Cloud Firestore deep get with subcollection
How to share storage between Kubernetes pods?
OAuth consent screen - ability to remove application logo
`docker-credential-gcloud` not in system PATH
GCP error: Quota 'GPUS_ALL_REGIONS' exceeded. Limit: 0.0 globally
Random Sampling in Google BigQuery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!