如何列出与gcp服务帐户关联的角色? [英] How do I list the roles associated with a gcp service account?

问题描述

在Google云GUI控制台中，我转到"IAM& admin">服务帐户"，并创建了一个具有查看者角色的服务帐户"my-service-account".

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.

然后我运行以下命令:

gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com

并看到以下输出:

etag: ACAB

根据文档，这意味着此服务帐户没有与之关联的策略.因此，我为其分配了一个角色"，该角色未包含在其政策"中.

According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".

如何列出与服务帐户关联的角色?

How do I list the roles associated with a service account?

多亏了对这个问题的出色回答，我现在可以遍历所有项目并得到我想要的东西.因此，根据您使用的这些cmd工具的版本，这应该列出所有项目中单个服务帐户的所有角色绑定:

Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:

gcloud projects list | \
  awk '{print $1}' | \
  xargs -I % sh -c "echo ""; echo project:% && \
  gcloud projects get-iam-policy % \
  --flatten='bindings[].members' \
  --format='table(bindings.role)' \
  --filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com' \
  ;" 

推荐答案

要对特定的服务帐户进行过滤，以下gcloud commmand可以做到这一点:

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"

给出漂亮的输出:

ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer

当然可以调整格式参数以适合您的特定需求.

The format param can of course be tweaked to suit your specific needs.

这篇关于如何列出与gcp服务帐户关联的角色?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！