问题
In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.
I then ran this command:
gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com
and saw this output:
etag: ACAB
According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".
How do I list the roles associated with a service account?
回答1:
In Google Cloud you have IAM policies for projects and for service accounts.
With IAM policies for the project you define who can perform a specific action on a resource in your Google Cloud project. Adding the ´Viewer´ Role to your service account you modified the project policy (i.e. what your service account can do inside the project)
On the other hand the IAM policies for service accounts is used to control who has the ownership and who can access to the service accounts and their settings. This is what you were retrieving with the command you posted, but you were not obtaining anything as you were getting the policy for the service account instead of the one for the project.
In order to get the IAM policy for the project that will contain the members and their corresponding roles you can run the following command:
gcloud projects get-iam-policy PROJECT_ID
You can find further information about service accounts in the following links:
https://cloud.google.com/iam/docs/service-accounts
https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
回答2:
To filter on a specific service account, the following gcloud commmand does the trick:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
Gives the nice output:
ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer
The format param can of course be tweaked to suit your specific needs.
来源:https://stackoverflow.com/questions/47006062/how-do-i-list-the-roles-associated-with-a-gcp-service-account