Can I get a list of all resources for which a user has been added to a role?

Question

I'm wondering if there is a way to get a list of all roles to which a user has been added, regardless of which resource the role is applied to?

e.g. I can get a list of all members of roles/storage.admin on a bucket and I can get a list of all members of the same role but on a project:

gsutil iam get $BUCKET | jq '.bindings[] | select(.role == "roles/storage.admin")'  
gcloud projects get-iam-policy $PROJECT --format=json | jq '.bindings[] | select(.role == "roles/storage.admin")'

But it seems there is no single command to tell you which roles a user has been added to and which resource the role is applied to. Does anyone know a way of doing this?

Answer 1

Roles are not assigned directly to users. This is why there is no single command that you can use.

IAM members (users, service accounts, groups, etc.) are added to resources with roles attached. A user can have permissions to a project and also have permissions at an individual resource (Compute Engine Instance A, Storage Bucket A/Object B). A user can also have no permissions to a project but have permissions at individual resources in the project.

You will need to run a command against resources (Org, Folder, Project and items like Compute, Storage, KMS, etc).

To further complicate this, there are granted roles and also inherited roles.