How do I list the roles associated with a gcp service account?

Question

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.

I then ran this command:

gcloud iam service-accounts get-iam-policy [email protected] 

and saw this output:

etag: ACAB 

According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".

How do I list the roles associated with a service account?

EDIT: Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:

gcloud projects list | \   awk '{print $1}' | \   xargs -I % sh -c "echo ""; echo project:% && \   gcloud projects get-iam-policy % \   --flatten='bindings[].members' \   --format='table(bindings.role)' \   --filter='bindings.members:[email protected]' \   ;"  

Answer 1

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  \ --flatten="bindings[].members" \ --format="table(bindings.role)" \ --filter="bindings.members:<YOUR SERVICE ACCOUNT>" 

Gives the nice output:

ROLE roles/cloudtrace.agent roles/servicemanagement.serviceController roles/viewer 

The format parameter can of course be tweaked to suit your specific needs.