Reputation: 71
I have a service account which belongs to a project. It have some roles/permissions set at the project level as well as some roles/permissions set at organization level.
I need to get list of all permissions/roles that the service account is granted.
On searching I found "Identity and Access Management (IAM) API" documentation which have API that will list all resources that have access to the service account and the roles set to the resources. What I need is the reverse. I want to get all roles that the service account have on other resources (in my case project and the organization).
In that document it is mentioned "projects.serviceAccounts.getIamPolicy() method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects.getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.
Is there any other way to get all roles a service account have on a project and organization.
Upvotes: 7
Views: 11371
Reputation: 1297
It's is definitely a hack, but this is how I do it:
on console, go to IAM tab.
filter to search your service account
(if it does not appear, that means it has no prior associations with any roles)
click on edit.
click on Add Another role
select a role at random.
you will notice a small tab on right asking to test changes, click on it.
it opens a new tab, where you see 2 buttons, View Policy Diff
& View Permission Diff
.
Click either!
That shall do it for you!
Only catch is, the Service account shall have at-least one role associated with it already.
Upvotes: 0
Reputation: 1194
You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.
To find out which roles a service account has in an organization:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:[email protected]"
To learn more, see the other post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
Upvotes: 5
Reputation: 81454
Is there any other way to get all roles a service account have on a project and organization.
At this time, you will need to manually check all resources everywhere.
A service account is an identity. An identity can be granted permissions to resources both in your project/organization but in other projects/organizations. This includes resources such as Cloud Storage objects, KMS keys, services such as Cloud Run, etc. These permissions are tracked at the resource level but not at the identity level.
Typically administrators grant an IAM member permissions (roles) at the project level. However, permissions can also be granted at the resource level, i.e. a single cloud storage object or a KMS key. Checking the project/organization permissions will not show resource-level permissions (projects are just another resource).
Upvotes: 3