39

I am using the Google Cloud Console for this purpose. When I create a service account, I can assign specific roles. But after I create it, I don't see an option to Update Roles of Service Accounts.

I tried to edit the service account, and still no option to add or remove roles. What am I missing here?

enter image description here

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Keet Sugathadasa
  • 11,595
  • 6
  • 65
  • 80

1 Answers1

66

Once you have created a service account, to modify the roles assigned to the project for this identity (the service account), go to "IAM & Admin" then to "IAM" instead of "Service Accounts". Find the service account. Click the pencil icon at the far right. "IAM" is the first entry in the left panel of your screenshot.

Note: You can assign other IAM members with roles to a service account when the service account is a resource. Under "Service Accounts" click the checkbox next to the service account email address. A panel will open. This is the right-side panel in your screenshot. However, in your case, you are using the service account as an identity, so you need to add the roles to the project under the "IAM" section.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    This helped. Now I see what I was missing. I wish GCP had thought of adding a little bit of redundancy in the console, for functionality. I found it easy on AWS to find my way through, without guides. Thank you for the answer – Keet Sugathadasa May 17 '20 at 06:38
  • 1
    I think this changed during the past years. Can one still change roles of an existing service account? – Jari Turkia Nov 06 '20 at 15:32
  • 1
    Finally found it! In IAM, there is Edit permissions for a service account. In Service Accounts there is not. – Jari Turkia Nov 08 '20 at 17:10
  • Not all service accounts can be configured through the interface. For example, use the `gcloud` command-line tool instead of the Cloud Console, because the `firebaserules.system` role is **hidden** in the console by default [Security for server client libraries  |  Firestore  |  Google Cloud](https://cloud.google.com/firestore/docs/security/iam#security_rule_dependency_on_iam) – contributorpw Jan 08 '21 at 18:04
  • 1
    @contributorpw There is a checkbox in the **IAM** section of the GUI to display Google managed service accounts. Look for **Include Google-provided role grants** near the top right of the page. – John Hanley Aug 20 '21 at 20:22
  • 10
    If you initially create the Service Account without any roles, the principal doesn't appear to get created. **(and it doesn't show an entry to edit with pencil)** So you need to go to IAM & Admin > IAM , then click 'Add' (at top), then use the email for the service account for the Principal and add your roles. – aaronvargas Apr 25 '22 at 01:41
  • @aaronvargas - That is correct. If a service account has no roles, it will not appear. Later if you remove a service account's roles, it will be removed as well. The key is that projects have bindings with members. If a project has no bindings for a member (service account) it will not appear in the bindings list (IAM & Admin -> IAM). – John Hanley Apr 25 '22 at 01:55
  • @JohnHanley I have seen some service accounts seemingly "lose" their associated principal, despite having definitely had associated roles at creation. My guess is that this is due to some change with GCP since the SA was created (and since the comments on this answer). – wodow Jul 05 '23 at 11:24