Reputation: 71
How to get all roles/permissions that a service account have for a project and organization in GCP through API
I have a service account which belongs to a project. It have some roles/permissions set at the project level as well as some roles/permissions set at organization level.
I need to get list of all permissions/roles that the service account is granted.
On searching I found "Identity and Access Management (IAM) API" documentation which have API that will list all resources that have access to the service account and the roles set to the resources. What I need is the reverse. I want to get all roles that the service account have on other resources (in my case project and the organization).
In that document it is mentioned "projects.serviceAccounts.getIamPolicy() method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects.getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.
Is there any other way to get all roles a service account have on a project and organization.
Upvotes: 7
Views: 11380
Answers (3)
Reputation: 1297
It's is definitely a hack, but this is how I do it:
on console, go to IAM tab.
filter to search your service account
(if it does not appear, that means it has no prior associations with any roles)
click on edit.
click on
Add Another roleselect a role at random.
you will notice a small tab on right asking to test changes, click on it.
it opens a new tab, where you see 2 buttons,
View Policy Diff&View Permission Diff.Click either!
That shall do it for you!
Only catch is, the Service account shall have at-least one role associated with it already.
Upvotes: 0
Reputation: 1194
You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.
To find out which roles a service account has in an organization:
gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:123-compute@developer.gserviceaccount.com"
To learn more, see the other post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
Upvotes: 5
Reputation: 81454
Is there any other way to get all roles a service account have on a project and organization.
At this time, you will need to manually check all resources everywhere.
A service account is an identity. An identity can be granted permissions to resources both in your project/organization but in other projects/organizations. This includes resources such as Cloud Storage objects, KMS keys, services such as Cloud Run, etc. These permissions are tracked at the resource level but not at the identity level.
Typically administrators grant an IAM member permissions (roles) at the project level. However, permissions can also be granted at the resource level, i.e. a single cloud storage object or a KMS key. Checking the project/organization permissions will not show resource-level permissions (projects are just another resource).
Upvotes: 3
Related Questions
- How to list all the IAM roles that include a given permission in GCP
- How do I list the roles associated with a gcp service account?
- Google cloud: How to list all service-accounts from all Projects in GCP
- How to Identify the current roles/permissions used in GCP projects?
- List all grantable roles in my GCP environment
- Google Cloud: How to list granted permission for user or service account?
- How to know all the permission I have in a GCP I have?
- Google Cloud Platform: How to fetch permissions assigned for particular Identity across all GCP resources via REST call
- Query project permissions by service account without manual preparation
- GCP: List grantable roles per resource