Reputation: 8885
How can I list all service accounts (also those created by GCP) with the "gcloud" CLI?
When using gcloud iam service-accounts list I only see those service accounts created by me. But for script reasons I'd like to obtain also those created by GCP.
Especially I am looking for [email protected]. Since I am creating my GCP infrastructure with terraform I can not depend on 815330817453 as an identifier and therefore need to look for the service account manually via gcloud.
However gcloud iam service-accounts list does not list the cloudbuild.gserviceaccount.com service account (nor any other like compute.gserviceaccount.com`
Upvotes: 3
Views: 12294
Answers (2)
Reputation: 40326
There are a couple of important qualifications to your question.
Service Accounts have a dual role in Google Cloud Platform. Service Account are (both) resources and may be used as identities.
1. Resource
Service Accounts are resources created in (owned by) a Google Cloud Platform project.
NOTE Service Accounts may be applied to non-Project resources too and, what follows, excludes (does not include) those bindings.
A Project foo owns zero or more Service Accounts. For Project (PROJECT), these may be enumerated:
gcloud iam service-accounts list \
--project=${PROJECT}
2. Identity
A Project foo includes an IAM Policy that may reference zero or more Service Accounts. These Service Accounts may be created in (owned by) any Google Cloud Platform project (not just the project policy in which they're referenced). These Service Accounts include Google-managed Service Accounts such as those in the domain gserviceaccount.com.
To enumerate these Service Accounts requires a different command. For Project (PROJECT), these may be enumerated:
gcloud projects get-iam-policy ${PROJECT} \
--flatten="bindings[].members[]" \
--filter="bindings.members~\"serviceAccount:\"" \
--format="value(bindings.members.split(sep=\":\").slice(1))"
It's a little gnarly:
--flattenbreaks thebindingsslice into easier to use chunks--filterfilters the chunks to only include Service Accounts--formatparsesserviceAccount:foointofoo
gcloud provides decent filtering and formatting but, if you'd prefer a more general-purpose tool like jq, then:
FILTER='
.bindings[].members[]
|select(. | startswith("serviceAccount:"))
|.[15:]
'
gcloud projects get-iam-policy ${PROJECT} \
--format="json" \
| jq -r "${FILTER}"
Explanation:
.binding[].members[]for these objectsselect(. | startswith("serviceAccount:"))selects theserviceAccount:.[15:]strips theserviceAccount:(15) leaving the account email
Upvotes: 6
Reputation: 419
Check your IAM roles , start by adding the role IAM admin/Viewer to your user, don't forget to use the command with the filter --project
gcloud iam service-accounts list --project=PROJECTID .
check also the IAM&Admin interface -> Service account if you can see all service accounts, that means you can list them using the gcloud command , if not you're user is messing a role
Upvotes: 1
Related Questions
- Programmatically get current Service Account on GCP
- How do I list the roles associated with a gcp service account?
- How can i determine if service accounts are in use using the cli?
- Google cloud: How to list all service-accounts from all Projects in GCP
- List ALL users of GCP account/Organization
- How to get all roles/permissions that a service account have for a project and organization in GCP through API
- GCP - gcloud List all accounts and the dataset it has access to
- How to found out, which instances are using which service accounts in GCP?
- Why do service accounts appear with the CLI gcloud and not in the IAM Cloud Console?
- How do I see the permissions granted on a service account from the command line?