How to get all roles/permissions that a service account have for a project and organization in GCP through API

Question

I have a service account which belongs to a project. It have some roles/permissions set at the project level as well as some roles/permissions set at organization level.

I need to get list of all permissions/roles that the service account is granted.

On searching I found "Identity and Access Management (IAM) API" documentation which have API that will list all resources that have access to the service account and the roles set to the resources. What I need is the reverse. I want to get all roles that the service account have on other resources (in my case project and the organization).

In that document it is mentioned "projects.serviceAccounts.getIamPolicy() method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects.getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.

Is there any other way to get all roles a service account have on a project and organization.

Answer 1

You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.

To find out which roles a service account has in an organization:

gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:[email protected]"

To learn more, see the other post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

Answer 2

Is there any other way to get all roles a service account have on a project and organization.

At this time, you will need to manually check all resources everywhere.

A service account is an identity. An identity can be granted permissions to resources both in your project/organization but in other projects/organizations. This includes resources such as Cloud Storage objects, KMS keys, services such as Cloud Run, etc. These permissions are tracked at the resource level but not at the identity level.

Typically administrators grant an IAM member permissions (roles) at the project level. However, permissions can also be granted at the resource level, i.e. a single cloud storage object or a KMS key. Checking the project/organization permissions will not show resource-level permissions (projects are just another resource).