如何列出与 gcp 服务帐户关联的角色? [英] How do I list the roles associated with a gcp service account?

问题描述

在 google cloud gui 控制台中，我转到IAM & admin">服务帐户"并创建了一个名为my-service-account"的具有查看者角色的服务帐户.

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.

然后我运行了这个命令:

I then ran this command:

gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com

看到这个输出:

etag: ACAB

根据文档，这意味着此服务帐户没有与之关联的政策.所以我给它分配了一个不包含在它的政策"中的角色".

According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".

如何列出与服务帐户关联的角色?

How do I list the roles associated with a service account?

由于对这个问题的出色回答，我现在可以遍历所有项目并得到我想要的.因此，根据您这些 cmd 工具的版本，这应该列出所有项目中单个服务帐户的所有角色绑定:

Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:

gcloud projects list | 
  awk '{print $1}' | 
  xargs -I % sh -c "echo ""; echo project:% && 
  gcloud projects get-iam-policy % 
  --flatten='bindings[].members' 
  --format='table(bindings.role)' 
  --filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com' 
  ;" 

推荐答案

要过滤特定的服务帐户，以下 gcloud 命令可以解决问题:

To filter on a specific service account, the following gcloud commmand does the trick:

gcloud projects get-iam-policy <YOUR GCLOUD PROJECT>  
--flatten="bindings[].members" 
--format="table(bindings.role)" 
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"

给出不错的输出:

ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer

当然可以调整格式参数以满足您的特定需求.

The format parameter can of course be tweaked to suit your specific needs.

这篇关于如何列出与 gcp 服务帐户关联的角色?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！