How to list all the IAM roles that include a given permission in GCP

After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.

At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles. I search for the permission, then scroll up to the see the role name and all the other permissions in that role.

It works but is slow for what must be a common task.

Is there a better web page or a gcloud api command that would work better.

1 answer

  • answered 2022-05-04 22:28 jccampanero

    The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.

    In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:

    gcloud iam roles describe roles/iam.roleViewer
    

    The command will output:

    description: Read access to all custom roles in the project.
    etag: AA==
    includedPermissions:
    - iam.roles.get
    - iam.roles.list
    - resourcemanager.projects.get
    - resourcemanager.projects.getIamPolicy
    name: roles/iam.roleViewer
    stage: GA
    title: Role Viewer
    

    AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum