Properly Granting Users Access to Google Cloud Platform Service Accounts Using the Cloud SDK CLI

Given a Google Cloud Platform (GCP) service account $GCP_SERVICE_ACCOUNT_NAME, what is the proper way to grant users the:

  • permissions to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME
  • permission to administer $GCP_SERVICE_ACCOUNT_NAME

using the GCP Cloud SDK (gcloud) instead of this page in the console?

In other words, if $GCP_SERVICE_ACCOUNT_NAME was created within GCP project $GCP_PROJECT_NAME:

gcloud iam service-accounts create $GCP_SERVICE_ACCOUNT_NAME \
--description=$GCP_SERVICE_ACCOUNT_DESCRIPTION \
--display-name=$GCP_SERVICE_ACCOUNT_NAME

#=>

Created service account [$GCP_SERVICE_ACCOUNT_NAME].

and was granted permissions through some curated role:

gcloud projects add-iam-policy-binding $GCP_PROJECT_NAME \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com" \
--role=$GCP_CURATED_ROLE

#=>

Updated IAM policy for project [$GCP_PROJECT_NAME].
bindings:
. . .
- members:
  . . .
  - serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com
  role: $GCP_CURATED_ROLE
  . . .
. . .
etag: . . .
version: 1

what gcloud group(s) and command would grant users the permissions to deploy jobs & virtual machines with and the permission to administer $GCP_SERVICE_ACCOUNT_NAME?

The official GCP documentation for creating a service account using gcloud, found here, suggests an add-iam-policy-binding command that would "allow users to impersonate the service account":

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME" \
--role="roles/iam.serviceAccountUser"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

with:

gcloud config list account --format="value(core.account)"

#=>

$GCP_USER_NAME

Does this mean that $GCP_USER_NAME is able to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME, administer $GCP_SERVICE_ACCOUNT_NAME or both?

1 answer

  • answered 2021-09-01 02:41 Mike

    Binding the roles/iam.serviceAccountUser curated role grants $GCP_USER_NAME_ALPHA the permissions to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME:

    gcloud iam service-accounts add-iam-policy-binding \
    $GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
    --member="user:$GCP_USER_NAME_ALPHA" \
    --role="roles/iam.serviceAccountUser"
    
    #=>
    
    Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
    bindings:
    - members:
      - user:$GCP_USER_NAME_ALPHA
      role: roles/iam.serviceAccountUser
    etag: . . .
    version: 1
    

    Binding the roles/iam.serviceAccountAdmin curated role grants $GCP_USER_NAME_BETA the permission to administer $GCP_SERVICE_ACCOUNT_NAME:

    gcloud iam service-accounts add-iam-policy-binding \
    $GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
    --member="user:$GCP_USER_NAME_BETA" \
    --role="roles/iam.serviceAccountAdmin"
    
    #=>
    
    Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
    bindings:
    - members:
      - user:$GCP_USER_NAME_BETA
      role: roles/iam.serviceAccountAdmin
    etag: . . .
    version: 1
    

    If $GCP_SERVICE_ACCOUNT_NAME was created using the console (here) instead of gcloud, bindings can still be verified with:

    gcloud iam service-accounts get-iam-policy \
    $GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com
    
    #=>
    
    bindings:
    - members:
      - user:$GCP_USER_NAME_BETA
      role: roles/iam.serviceAccountAdmin
    - members:
      - user:$GCP_USER_NAME_ALPHA
      role: roles/iam.serviceAccountUser
    etag: . . .
    version: 1
    

    The official GCP docs. do mention both roles here, but don't use the same language found in the Service Account creation portion of the console. There also is not an "Equivalent COMMAND LINE" dialog on this page.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum