I'd like to be able to list all users and service account associated with my projects (preferably using the gcloud CLI tool, but happy to make an API call if needs be).
I can easily list all the service accounts associated with a project using this, but how can list all the users too? I'd expect something like the following, but I cannot see anything in the doco:
gcloud beta iam users list
List all service accounts in a project
The following command lists all service accounts associated with a project:
$ gcloud iam service-accounts list
NAME EMAIL
Compute Engine default service account 12345678-compute@developer.gserviceaccount.com
dummy-sa-1 dummy-sa-1@MY_PROJECT.iam.gserviceaccount.com
List all Users and Service accounts in a project with their IAM roles
If you would like to list all users/service-accounts who have been granted any IAM roles on a specified project, you can use this command:
$ gcloud projects get-iam-policy MY_PROJECT
bindings:
- members:
- serviceAccount:12345678-compute@developer.gserviceaccount.com
- user:alice@foobar.com
role: roles/editor
- members:
- user:you@yourdomain.com
- user:someoneelse@yourdomain.com
role: roles/owner
etag: ARBITRARY_ETAG_HERE
version: 1
Formatting the output
gcloud supports formatting the output as json and lot of other customizations as needed, which might be easier to parse in certain cases or print only the information you need.
Examples:
# Prints the output as json instead of the default yaml format
$ gcloud projects get-iam-policy MY_PROJECT --format=json
# Display just the bindings in json format
$ gcloud projects get-iam-policy MY_PROJECT --format='json(bindings)'
# Display the bindings in a flattened format
$ $ gcloud projects get-iam-policy MY_PROJECT --format='flattened(bindings)'
list service accounts
$ gcloud iam service-accounts list
list members of roles for the project
$ gcloud projects get-iam-policy [project]
add/affect user to a role
$ gcloud projects add-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser"
Remove user:
$ gcloud projects remove-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser"
add/affect google-group to a role
$ gcloud projects add-iam-policy-binding [project] \
--member="group:my_group@googlegroups.com" \
--role="roles/storage.admin"
The following command will list all non-service accounts from the entire GCP organization:
gcloud organizations get-iam-policy ORGANIZATION_ID | grep user\: | sort | uniq
To get the organizaton ID
gcloud organizations list
The following command can give clear view of the MEMBERS of your Project within the GCP account :
gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format="table(bindings.members)"
来源:https://stackoverflow.com/questions/44746358/how-do-i-list-all-iam-users-for-my-google-cloud-project