How to set service account permission from IAM api

Question

I am trying to set admin permissions to a google cloud platform generated account. Right now, I am getting the service account from:

https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/list

But I am not sure how to proceed after getting this information.

Thank you very much

Answer 1

You'll be able to add permissions to a service account by retrieving the current permissions policy for your project from the API, modify the policy and apply the new policy.

First, you'll get your project's permissions policy by calling:

POST https://cloudresourcemanager.googleapis.com/v1beta1/projects/$your-project-id:getIamPolicy

You'll get the policy in the response, for example:

{
    "bindings": [
    {
        "role": "roles/editor",
        "members": [
          "serviceAccount:your-project-id@appspot.gserviceaccount.com"
        ]
    },
    {
        "role": "roles/owner",
        "members": [
          "user:email1@gmail.com",
          "user:email2@gmail.com",
          "user:email3@gmail.com"
        ]
    }
    ]
}

If you want to grant the owner role to the service account for this project, you'll just have to modify the policy and write it using setIamPolicy(), like this:

POST https://cloudresourcemanager.googleapis.com/v1/projects/$our-project-123:setIamPolicy

     {
         "policy": {
             "bindings": [
             {
                 "role": "roles/owner",
                 "members": [
                   "user:email1@gmail.com",
                   "user:email2@gmail.com",
                   "user:email3@gmail.com",
                   "serviceAccount:your-project-id@appspot.gserviceaccount.com"
                 ]
             },
             ]
         }
    }

This call will confirm the newly applied policy in the response. This documented here.