How to list all the IAM roles that include a given permission in GCP
After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.
At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles. I search for the permission, then scroll up to the see the role name and all the other permissions in that role.
It works but is slow for what must be a common task.
Is there a better web page or a gcloud api command that would work better.
The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.
In addition to the page you cited you can later, using the
gcloudCLI, describe a role and see the different permissions it grants. For example:
gcloud iam roles describe roles/iam.roleViewer
The command will output:
description: Read access to all custom roles in the project. etag: AA== includedPermissions: - iam.roles.get - iam.roles.list - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy name: roles/iam.roleViewer stage: GA title: Role Viewer
gcloudCLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.