1

Use Case: I am trying to delete all the roles assigned to a principal inside a GCP project.

As I understand you can't perform that operation directly. I am referring here: https://cloud.google.com/iam/docs/samples/iam-modify-policy-remove-member

To perform this operation, I would need a list of currently assigned roles for a GCP principal. I couldn't find this operation anywhere in Python. Has anyone seen this or know how to perform this operation?

PiaklA
  • 495
  • 2
  • 7
  • 21
  • 1
    You can get the IAM policy on a project, look for the account you want to remove and set IAM policies without this account: https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy If there isn't client library for that, use the discovery API or directly the Rest API – guillaume blaquiere Apr 10 '23 at 19:41
  • 1
    IAM roles are assigned at the resource level. You must modify the IAM bindings for the resource. A Google Cloud project is just one of many resources that support IAM bindings. Other examples are Cloud Storage, KMS, the compute services, etc. Each of those resources has an API that provides IAM binding management. Which documentation are you reviewing? – John Hanley Apr 10 '23 at 20:53
  • 1
    So I assume an IAM Principal is also a resource (user@email.com) I am trying to find APIs here : https://cloud.google.com/iam/docs/apis that will allow me to list roles for a resource (Principal in this case) – PiaklA Apr 11 '23 at 13:53
  • 1
    An IAM Identity (principal) is not a Google Cloud resource type. You must use the APIs for each resource type (project, storage, compute, etc.) if you wish to manage the IAM bindings for an identity. IAM Bindings for a project are part of the Resource Manager API. Example python code: https://cloud.google.com/iam/docs/write-policy-client-libraries#client-libraries-install-python – John Hanley Apr 11 '23 at 20:28
  • 1
    However, IAM roles can be assigned at the PROJECT and at individual resources such as a KMS Key, Cloud Storage object, etc. If an identity has an IAM role binding at both the project and a resource (e.g. Cloud Storage object), removing the role binding at the project will not remove the role at the object resource level. – John Hanley Apr 11 '23 at 20:30
  • 1
    Note: A service account identity is an exception. It can be both an identity and a resource. Usage as an identity and as a resource is managed separately. When used as a resource, it supports IAM bindings, just like a project. – John Hanley Apr 11 '23 at 20:41
  • @PiaklA Did you get the answer for your question? If so, please post it as an answer so other community members can also see it. – James S Apr 12 '23 at 20:35

1 Answers1

1

Per @guillaume blaquiere and @John Hanley:

You can get the IAM policy on a project, look for the account you want to remove and set the IAM policies without this account. If there isn't client library for that, use the discovery API or directly the Rest API.

An IAM Identity (principal) is not a Google Cloud resource type. You must use the APIs for each resource type (project, storage, compute, etc.) if you wish to manage the IAM bindings for an identity. IAM Bindings for a project are part of the Resource Manager API. Example python code. However, IAM roles can be assigned at the PROJECT and at individual resources such as a KMS Key, Cloud Storage object, etc. If an identity has an IAM role binding at both the project and a resource (e.g. Cloud Storage object), removing the role binding at the project will not remove the role at the object resource level.

Note: A service account identity is an exception. It can be both an identity and a resource. Usage as an identity and as a resource is managed separately. When used as a resource, it supports IAM bindings, just like a project.

James S
  • 1,181
  • 1
  • 7