35

I want to create a service account on GCP using a python script calling the REST API and then give it specific roles - ideally some of these, such as roles/logging.logWriter.

First I make a request to create the account which works fine and I can see the account in Console/IAM.
Second I want to give it the role and this seems like the right method. However, it is not accepting roles/logging.logWriter, saying HttpError 400, "Role roles/logging.logWriter is not supported for this resource.">
Conversely, if I set the desired policy in console, then try the getIamPolicy method (using the gcloud tool), all I get back is response etag: ACAB, no mention of the actual role I set. Hence I think these roles refer to different things.

Any idea how to go about scripting a role/scope for a service account using the API?

Nakilon
  • 34,866
  • 14
  • 107
  • 142
Robert Lacok
  • 4,176
  • 2
  • 26
  • 38
  • Quick note: If you don't have some sort of global roles, usually, set the roles for the thing ("principal")(service account here) in the permissions of the target (e.g. in Edit access of a bucket) - **don't get confused** - the service account itself has permissions section but those are permission to "manage/view" the service account itself, ***not*** service account's permissions to other stuff :-) – jave.web Aug 22 '23 at 16:16

2 Answers2

33

You can grant permissions to a GCP service account in a GCP project without having to rewrite the entire project policy!

Use the gcloud projects add-iam-policy-binding ... command for that (docs).

For example, given the environment variables GCP_PROJECT_ID and GCP_SVC_ACC the following command grants all privileges in the container.admin role to the chosen service account:

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
    --member=serviceAccount:${GCP_SVC_ACC} \
    --role=roles/container.admin

To review what you've done:

$ gcloud projects get-iam-policy $GCP_PROJECT_ID \
    --flatten="bindings[].members" \
    --format='table(bindings.role)' \
    --filter="bindings.members:${GCP_SVC_ACC}"

Output:

ROLE
roles/container.admin

(or more roles, if those were granted before)

Notes:

  • The environment variable GCP_SVC_ACC is expected to contain the email notation for the service account.
  • Kudos to this answer for the nicely formatted readout.
Dr. Jan-Philip Gehrcke
  • 33,287
  • 14
  • 85
  • 130
7

You appear to be trying to set a role on the service account (as a resource). That's for setting who can use the service account.

If you want to give the service account (as an identity) a particular role on the project and its resources, see this method: https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy

Rob Kochman
  • 323
  • 2
  • 4
  • 4
    one should be extremely careful, the page starts with the following : Sets the IAM access control policy for the specified Project. **Overwrites any existing policy.** – Ben Aug 09 '19 at 04:45
  • 1
    Yes, get the existing policy first, modify it, then write it. – Rob Kochman Aug 10 '19 at 05:17
  • 1
    still wouldn't it be advisable to set serviceAccounts that would receive other serviceAccounts/users (the first sentence of your answer) ? this full overwrites feels extreme, a mistake can screw your whole project. To be honest, I'm finding it hard to understand those two correctly on gcloud; compared let's say to aws, where groups/users are more understandable. Feels safer, you can toggle a user from a group. May I ask you if a comparable pattern exists on gcloud ? – Ben Aug 10 '19 at 09:07
  • @ben were you able to do it in a safer way? – Utkarsh Sharma Mar 29 '20 at 09:54
  • 7
    Nope; gave up and went further on aws – Ben Mar 29 '20 at 09:56
  • // , I got the same error when trying to GET the associated role. I run into this BS any time I try to use GCP without Terraform. `gcloud` has a looooot of little gotchas. – Nathan Basanese May 06 '20 at 20:16
  • // , `ACAB` is some real trash as far as UX. If GCP were actually popular I'd nominate it as this generation of DevOps' `PC Load Letter` https://www.youtube.com/watch?v=Mw-8oEO8bZo – Nathan Basanese May 06 '20 at 20:18
  • 2
    Using `projects add-iam-policy-binding` seems to be a less risky, more viable, easier to use solution to the given problem. I have added a new answer, please review! – Dr. Jan-Philip Gehrcke Dec 10 '20 at 15:49