1

From: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

running this command:

gcloud iam service-accounts get-iam-policy \
    mysa@my-project.iam.gserviceaccount.com

I get:

gcloud iam service-accounts get-iam-policy mysa@my-project.iam.gserviceaccount.com
ERROR: (gcloud.iam.service-accounts.get-iam-policy) PERMISSION_DENIED: Permission iam.serviceAccounts.getIamPolicy is required to perform this operation on service account projects/-/serviceAccounts/mysa@my-project.iam.gserviceaccount.com

But I do have iam.serviceAccounts.getIamPolicy permission on the current user(role Owner)?

Chris G.
  • 23,930
  • 48
  • 177
  • 302

1 Answers1

1

The problem was with the email member(Service Account email) to the project - in IAM users.

When I deleted this (SA member) in IAM, it worked giving "etag: ACAB" as a result.

I Need to figure out what that is, but it worked. Just found this

This account, should maybe have been deleted automatically when deleting a Service Account - but what do I know :-)

Chris G.
  • 23,930
  • 48
  • 177
  • 302
  • 1
    `etag: ACAB` means that you have not assigned a role to the service account yet - [link](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#viewing-roles) – Deniss T. Jan 07 '20 at 14:20
  • @DenisT. - That is not correct. The `ACAB` is a token that is used to track updates and does not represent an empty service account role list. When you modify the roles, the tag will change. If you try to update the roles with an incorrect tag, the request will fail. – John Hanley Jan 07 '20 at 14:50
  • Thanks, John. That's right, the output will show only an `etag` value if you haven't assigned a role to the service account. – Deniss T. Jan 07 '20 at 15:01