In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.
I then ran this command:
gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com
and saw this output:
etag: ACAB
According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".
How do I list the roles associated with a service account?
EDIT:
Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:
gcloud projects list |
awk '{print $1}' |
xargs -I % sh -c "echo ""; echo project:% &&
gcloud projects get-iam-policy %
--flatten='bindings[].members'
--format='table(bindings.role)'
--filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com'
;"
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…