GCP: List grantable roles per resource

Question

I am going thru a Qwicklabs tutorial on GCP IAM.

At some point, it mentions that

Use the gcloud iam list-grantable-roles command to return a list of all roles that can be applied to a given resource.

However the example cited lists the grantable roles by going throughout the entire project:

gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID

Is there a way to run the above command but only on a specific resource, say Stackdriver or BigQuery ?

Answer 1

Is there a way to run the above command but only on a specific resource, say Stackdriver or BigQuery ?

Yes. From the following examples, you should notice a naming pattern.

This link is Google's document on resource naming.

If you want to go deeper than the project then you must specify an actual resource. You cannot just specify BigQuery, you must specify the dataset in BigQuery. For Stackdriver you must specify an actual log name.

For some resources, gcloud provides the command-line option --uri. This will display the resource name:

gcloud compute instances list --uri

Note: The command line option --uri is not supported for all commands. Neither logging nor Biquery support --uri.

Compute Engine:

gcloud iam list-grantable-roles //compute.googleapis.com/projects/[PROJECT_ID]/zones/[ZONE]/instances/[VM_NAME]

BigQuery:

gcloud iam list-grantable-roles //bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]

Stackdriver Logging:

gcloud iam list-grantable-roles //logging.googleapis.com/projects/[PROJECT_ID]/logs/cloudbuild