Reputation: 13587
How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI?
I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?
Upvotes: 30
Views: 46098
Answers (4)
Reputation: 8032
To assign a role that grants permissions to a service account use the following:
gcloud projects add-iam-policy-binding \
<your-project-name-id> \
--member='serviceAccount:service-<1234567890>@compute-system.iam.gserviceaccount.com' \
--role='roles/compute.instanceAdmin.v1'
To find the role that you need with the corresponding permissions check here: https://cloud.google.com/iam/docs/understanding-roles The rule is: be as strict as possible and grant as little permissions as possible for security reasons.
Note: Here the service account is a Google managed service account (service accounts starting with service- that don't appear in the GCP IAM GUI).
Upvotes: 1
Reputation: 15052
Easily grant bucket access permission to a service account
TL;DR
Buckets => three dots menu on the target bucket line => Edit Access
... and no, it's not in the Service account permissions tab...
Step by step
- In the Google Cloud console GUI go to the navigation menu and choose "Cloud Storage" (https://console.cloud.google.com/storage/)
- Choose "Buckets" if not already chosen
- Find the bucket you want to add the permission to
- Open the "More actions"/"three dots" menu on the target bucket row
- Choose "Edit Access" (shows an option to add new and list of existing permissions below)
- Click "Add Principal"
- To "New principals" field add your Service account - you can find its email ID in:
"IAM & Admin" > "Service Accounts" > column "Email" - In the "Assign roles" section, click into the field "Select a role"
- In category "Cloud storage" - choose the most appropriate role
- for the OP's case that's most likely "Storage Object Viewer"
- WARNING: "Storage Object User" CAN: "create, read, update and DELETE objects and multipart uploads in GCS"
- Click "Save", wait for the updated finished success message and you're good to go :-)
Final note: Some people get confused and are trying to set these permissions in the Service account's permission tab - that is wrong - those are permissions to access/manage/view the service account itself! :-)
Upvotes: 3
Reputation: 4441
You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the
gcloudCLI you can create a custom role withgcloud iam roles create, i.e:gcloud iam roles create bucketViewer \ --project example-project-id-1 \ --title "Bucket viewer" \ --description "This role has only the storage.buckets.get permission" \ --permissions storage.buckets.getThis will create a custom role with the ID
bucketViewer, for the project IDexample-project-id-1, containing only the permissionstorage.buckets.get. Replace these values as desired and accordingly.Once done, you can assign this custom role also with a single
gcloudcommand by usinggcloud projects add-iam-policy-binding:gcloud projects add-iam-policy-binding example-project-id-1 \ --member='serviceAccount:[email protected]' \ --role='projects/example-project-id-1/roles/bucketViewer'Replace
example-project-id-1with your project ID, and[email protected]with the actual name of the service account you want to assign the role to.
Upvotes: 44
Reputation: 2478
You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.
Upvotes: 3
Related Questions
- How to add a custom role to service account using gcloud
- How do I check that a Google Cloud service account has a particular permission programmatically?
- Google Cloud: How to list granted permission for user or service account?
- Granting full gcs bucket permissions to a GCP service account
- How to resolve GCloud permissions?
- How to grant service account access to a user account on google cloud
- GCP-IAM - How to grant access to all service account in organization?
- Google Cloud Platform: Minimal IAM permissions for gcloud command
- How to give permission for an IAM service account to run a docker container within a GCP VM?
- How to set service account permission from IAM api