How to list all IAM principals and roles from Google Cloud IAM across multi projects / folders?

Question

We can list all iam service accounts as follows:

gcloud iam service-accounts list

We can list all iam roles as follows:

gcloud iam roles list

This works fine for one project only.

I have however multiple projects and they are organized by folders. I would like to list therefore all IAM principles and roles in one go. How can this be achieved?

Answer 1

List all Project IDs:

gcloud projects list --format="value(projectId)"

List all Service Account (Emails) by Project (IDs):

PROJECTS=$(\
  gcloud projects list \
  --format="value(projectId)")

for PROJECT in ${PROJECTS}
do
  echo "Project: ${PROJECT}"
  gcloud iam service-accounts list \
  --project=${PROJECT} \
  --format="value(email)"
done

IIUC gcloud iam roles list is a global list

For the custom role (names) in a Project, you want:

gcloud iam roles list \
--project=${PROJECT} \
--format="value(name)"

So perhaps:

PROJECTS=$(\
  gcloud projects list \
  --format="value(projectId)")

for PROJECT in ${PROJECTS}
do
  echo "Project: ${PROJECT}"
  gcloud iam roles list \
  --project=${PROJECT} \
  --format="value(name)"
done

Or perhaps:

gcloud projects get-iam-policy ${PROJECT}

And:

PROJECTS=$(\
  gcloud projects list \
  --format="value(projectId)")

for PROJECT in ${PROJECTS}
do
  echo "Project: ${PROJECT}"
  gcloud projects get-iam-policy ${PROJECT}
done

The above can be further filtered|formatted using --filter and --format flags.