如何列出与 gcp 服务帐户关联的角色?

在 Google Cloud gui 控制台中,我进入“ IAM & admin”> “ Service account”,并创建了一个名为“ my-Service-account”的服务帐户,其中包含查看者角色。

然后我运行这个命令:

gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com

看到了这个输出:

etag: ACAB

根据文档,这意味着这个服务帐户没有与之相关的策略。所以我给它分配了一个“角色”,这个角色不包括在它的“策略”中。

如何列出与服务帐户关联的角色?

编辑: 由于这个问题的出色的答案,我现在可以循环所有的项目,并得到我想要的。因此,根据您使用的这些 cmd 工具的版本,这里应该列出跨所有项目的单个服务帐户的所有角色绑定:

gcloud projects list | \
awk '{print $1}' | \
xargs -I % sh -c "echo ""; echo project:% && \
gcloud projects get-iam-policy % \
--flatten='bindings[].members' \
--format='table(bindings.role)' \
--filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com' \
;"
67871 次浏览
小开

In Google Cloud you have IAM policies for projects and for service accounts.

With IAM policies for the project you define who can perform a specific action on a resource in your Google Cloud project. Adding the ´Viewer´ Role to your service account you modified the project policy (i.e. what your service account can do inside the project)

On the other hand the IAM policies for service accounts is used to control who has the ownership and who can access to the service accounts and their settings. This is what you were retrieving with the command you posted, but you were not obtaining anything as you were getting the policy for the service account instead of the one for the project.

In order to get the IAM policy for the project that will contain the members and their corresponding roles you can run the following command:

gcloud projects get-iam-policy PROJECT_ID

You can find further information about service accounts in the following links:

https://cloud.google.com/iam/docs/service-accounts

https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

小开
最佳答案

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"

Gives the nice output:

ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer

The format param can of course be tweaked to suit your specific needs.

小开

You can use this command to list resources and roles assigned to a service account:

gcloud beta asset search-all-iam-policies --scope=organizations/123 --query="policy:456@cloudservices.gserviceaccount.com" | egrep "role:|resource:|gserviceaccount"

You can change scope to a folder or a project as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

More details: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

小开

To see roles per service account in the console:

  1. Copy the email of your service account (from IAM & Admin -> Service Accounts - Details);
  2. Go to: IAM & Admin -> Policy Analyzer -> Custom Query;
  3. Set Parameter 1 to Principal. Paste the email into Principal field;
  4. Click Continue, then click Run Query.

You'll get the list of roles of the given service account.


提交答案