118

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.

I then ran this command:

gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com

and saw this output:

etag: ACAB

According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".

How do I list the roles associated with a service account?

EDIT: Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:

gcloud projects list | \
  awk '{print $1}' | \
  xargs -I % sh -c "echo ""; echo project:% && \
  gcloud projects get-iam-policy % \
  --flatten='bindings[].members' \
  --format='table(bindings.role)' \
  --filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com' \
  ;"
red888
  • 27,709
  • 55
  • 204
  • 392
  • I'd think you missed a small flag on line 1 of your answer. A more perfect line 1 should be: "gcloud projects list --format='value(projectId)' | \". The "--format" flag gets rid of the unnecessary header row. Furthermore, I personally find `foreach` to be more readable. So, an alternate solution is `foreach PROJECT in $(gcloud projects list --format='value(projectId)'); do echo "${PROJECT}:"; gcloud projects get-iam-policy ${PROJECT} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com'; done` – Vincent Yin Feb 27 '23 at 20:12

4 Answers4

198

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"

Gives the nice output:

ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer

The format param can of course be tweaked to suit your specific needs.

polve
  • 2,789
  • 2
  • 18
  • 20
44

In Google Cloud you have IAM policies for projects and for service accounts.

With IAM policies for the project you define who can perform a specific action on a resource in your Google Cloud project. Adding the ´Viewer´ Role to your service account you modified the project policy (i.e. what your service account can do inside the project)

On the other hand the IAM policies for service accounts is used to control who has the ownership and who can access to the service accounts and their settings. This is what you were retrieving with the command you posted, but you were not obtaining anything as you were getting the policy for the service account instead of the one for the project.

In order to get the IAM policy for the project that will contain the members and their corresponding roles you can run the following command:

gcloud projects get-iam-policy PROJECT_ID

You can find further information about service accounts in the following links:

https://cloud.google.com/iam/docs/service-accounts

https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

GalloCedrone
  • 4,869
  • 3
  • 25
  • 41
  • Can service accounts span projects? Is there some feature that would let me query the service account and view its access (instead of the reverse like with your command example)? – red888 Apr 04 '18 at 16:54
  • With span projects you mean create new one? To create a project it is not enough to be the owner of a project. So I am not sure about it, I will test tomorrow, the second answer is yes it is possible https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy gcloud iam service-accounts get-iam-policy SERVICE_ACCOUNT @red888 – GalloCedrone Apr 04 '18 at 17:45
  • Yes I believe that is possible with the permission resourcemanager.projects.create https://cloud.google.com/resource-manager/docs/access-control-proj – GalloCedrone Apr 04 '18 at 17:54
  • 1
    `gcloud project` is named `gcloud projects` now. – Nicolai S May 03 '18 at 10:55
9

You can use this command to list resources and roles assigned to a service account:

gcloud beta asset search-all-iam-policies --scope=organizations/123 --query="policy:456@cloudservices.gserviceaccount.com" | egrep "role:|resource:|gserviceaccount"

You can change scope to a folder or a project as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

More details: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

Circy
  • 1,058
  • 11
  • 15
5

To see roles per service account in the console:

  1. Copy the email of your service account (from IAM & Admin -> Service Accounts - Details);
  2. Go to: IAM & Admin -> Policy Analyzer -> Custom Query;
  3. Set Parameter 1 to Principal. Paste the email into Principal field;
  4. Click Continue, then click Run Query.

You'll get the list of roles of the given service account.

Thomas Brooks
  • 321
  • 3
  • 7