29

I'd like to be able to list all users and service account associated with my projects (preferably using the gcloud CLI tool, but happy to make an API call if needs be).

I can easily list all the service accounts associated with a project using this, but how can list all the users too? I'd expect something like the following, but I cannot see anything in the doco:

gcloud beta iam users list
Graham Polley
  • 14,393
  • 4
  • 44
  • 80

7 Answers7

41

List all service accounts in a project

The following command lists all service accounts associated with a project:

$ gcloud iam service-accounts list

NAME                                    EMAIL
Compute Engine default service account  12345678-compute@developer.gserviceaccount.com
dummy-sa-1                              dummy-sa-1@MY_PROJECT.iam.gserviceaccount.com

List all Users and Service accounts in a project with their IAM roles

If you would like to list all users/service-accounts who have been granted any IAM roles on a specified project, you can use this command:

$ gcloud projects get-iam-policy MY_PROJECT

bindings:
- members:
  - serviceAccount:12345678-compute@developer.gserviceaccount.com
  - user:alice@foobar.com
  role: roles/editor
- members:
  - user:you@yourdomain.com
  - user:someoneelse@yourdomain.com
  role: roles/owner
etag: ARBITRARY_ETAG_HERE
version: 1

Formatting the output

gcloud supports formatting the output as json and lot of other customizations as needed, which might be easier to parse in certain cases or print only the information you need.

Examples:

# Prints the output as json instead of the default yaml format
$ gcloud projects get-iam-policy MY_PROJECT --format=json

# Display just the bindings in json format
$ gcloud projects get-iam-policy MY_PROJECT --format='json(bindings)'

# Display the bindings in a flattened format
$ $ gcloud projects get-iam-policy MY_PROJECT --format='flattened(bindings)'
Tuxdude
  • 47,485
  • 15
  • 109
  • 110
  • I think I found a bug - when using `gcloud projects get-iam-policy MY_PROJECT`, it does not list any users/emails that have permissions that are inherited (e.g. from folders). Or is there something special to do with them? – Graham Polley Jul 17 '17 at 04:41
  • How can you get all users across ALL projects? – james Nov 12 '18 at 15:05
  • @james To get all users in all projects you'd have to list all projects first, and then for each project you'd have to get the bindings for that project using the suggestions above. – lukwam Nov 14 '18 at 05:59
  • @GrahamPolley To get that info, you'd get the ancestry of the project, then you'd get the project's IAM policy bindings, and then you'd get each of it's parents' IAM bindings up to the tree until the organization. – lukwam Nov 14 '18 at 06:05
  • @lukwam could you share the bash to do that? thanks in advance – james Nov 14 '18 at 13:55
  • while the suggestions work is there any way of getting the actual users for a project, not grouped by policies? and ideally with more information than just emails – Vee6 May 29 '19 at 11:36
  • @GrahamPolley To add to what lukwam said... To get the IAM bindings at the org level, a different command must be used. See [Access Control for Organizations](https://cloud.google.com/resource-manager/docs/access-control-org) for implementations. – StockB Jun 17 '19 at 18:10
7

list service accounts

$ gcloud iam service-accounts list

list members of roles for the project

$ gcloud projects get-iam-policy [project]

add/affect user to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser"

Remove user:

$ gcloud projects remove-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser"

add/affect google-group to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="group:my_group@googlegroups.com" \
--role="roles/storage.admin"
niainaLens
  • 781
  • 7
  • 5
4

Use the following command to get a clear view of all members belonging to a given project:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="table(bindings.members)"
Mike
  • 1,080
  • 1
  • 9
  • 25
JohnBegood
  • 652
  • 1
  • 7
  • 8
4

The following command will list all non-service accounts from the entire GCP organization:

gcloud organizations get-iam-policy ORGANIZATION_ID | grep user\: | sort | uniq

To get the organizaton ID

gcloud organizations list
Buktop
  • 41
  • 5
3

You can use search-all-iam-policies to list all the IAM policies for a project/folder/organization, and grep the users:

$ gcloud asset search-all-iam-policies --scope=projects/123 | grep user:

This will show you not only the users who are granted roles on the project itself but also the user who are granted roles in sub resources like compute instances or bigquery datasets.

You can change the scope to organizations/123 to search in the entire organization as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

More details in another post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

Circy
  • 1,058
  • 11
  • 15
1

Unfortunately, there is no way to list all users using the

gcloud iam . . .

command tree; however, we are able to list all accounts under a Google Cloud Platform (GCP) project ($GCP_PROJECT_NAME) through the

gcloud projects get-iam-policy

command tree instead:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="value(bindings.members)" \
--sort-by=bindings.members | uniq

#=>

. . .
serviceAccount:$SOME_SERVICE_ACCOUNT
. . .
user:$SOME_USER
. . .

which includes piping any duplicate results though uniq.

Note: the above command is guaranteed to list all accounts associated with $GCP_PROJECT_NAME because every account has to have at least one role:

gcloud projects add-iam-policy-binding $ANOTHER_USER \
--member="user:${ANOTHER_USER}"

#=>

ERROR: (gcloud.projects.add-iam-policy-binding) argument --role: Must be specified.

If necessary, we can make use of the .flatten(), .slice() and .split() gcloud projections to get rid of the serviceAccount: and user: prefixes:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uinq

#=>

. . .
$SOME_SERVICE_ACCOUNT
. . .
$SOME_USER
. . .

More on gcloud projections here.

We can also filter this result using the --filter flag:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--filter="user" \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uniq

#=>

. . .
$SOME_USER
. . .

and:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--filter="serviceAccount" \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uniq

#=>

. . .
$SOME_SERVICE_ACCOUNT
. . .
Mike
  • 1,080
  • 1
  • 9
  • 25
0

If you are searching for the one user among multiple projects you can also use this script

 for i in $(gcloud projects list |awk '/PROJECT_ID:/ {print$2}');
  do 
    echo ">> checking $i"; 
    gcloud projects get-iam-policy $i |grep -i YOURUSER ;
 done
mati kepa
  • 2,543
  • 19
  • 24