7

I have a service account which belongs to a project. It have some roles/permissions set at the project level as well as some roles/permissions set at organization level.

I need to get list of all permissions/roles that the service account is granted.

On searching I found "Identity and Access Management (IAM) API" documentation which have API that will list all resources that have access to the service account and the roles set to the resources. What I need is the reverse. I want to get all roles that the service account have on other resources (in my case project and the organization).

In that document it is mentioned "projects.serviceAccounts.getIamPolicy() method does not return what resources the service account has access to. To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects.getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.

Is there any other way to get all roles a service account have on a project and organization.

Johnny Cage
  • 71
  • 1
  • 3

3 Answers3

5

You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.

To find out which roles a service account has in an organization:

gcloud asset search-all-iam-policies --scope=organizations/123 --query="policy:123-compute@developer.gserviceaccount.com"

To learn more, see the other post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

Circy
  • 1,058
  • 11
  • 15
3

Is there any other way to get all roles a service account have on a project and organization.

At this time, you will need to manually check all resources everywhere.

A service account is an identity. An identity can be granted permissions to resources both in your project/organization but in other projects/organizations. This includes resources such as Cloud Storage objects, KMS keys, services such as Cloud Run, etc. These permissions are tracked at the resource level but not at the identity level.

Typically administrators grant an IAM member permissions (roles) at the project level. However, permissions can also be granted at the resource level, i.e. a single cloud storage object or a KMS key. Checking the project/organization permissions will not show resource-level permissions (projects are just another resource).

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks. I'm still thinking on a way to get all roles associated with the service account. I need to get list of roles that the service account have on project and organization. I can run projects.getIamPolicy() which returns all identities that have access to project and can filter the required service id. I'm not able to do organization.getIamPolicy() as the service account does not have permission to call that API. Can you suggest a way for me to do this task? – Johnny Cage Feb 26 '20 at 16:16
  • You need permission to access the organization resource.This link explains more and has example code: https://cloud.google.com/resource-manager/docs/access-control-org – John Hanley Feb 26 '20 at 16:34
  • So currently is this the only way to get this task done? – Johnny Cage Feb 27 '20 at 05:11
  • I just want get all permission that given service account have on the organization. Isn't there any other way of getting it from service account's end instead of getting permissions of all accounts/resources that have access to organization? organization.getIamPolicy() method gives list of all accounts/users/resources that have access to that organization which is not needed. – Johnny Cage Feb 27 '20 at 05:34
  • Resources contain the permissions for an identity. You need permission to access the resource to get this information. The identity does not know what permissions it has on other resources. Permissions are assigned at the resource (org, project, object, etc) and not with the identity. The exception is when the identity is also a resource granting permission to other identities. – John Hanley Feb 27 '20 at 15:24
0

It's is definitely a hack, but this is how I do it:

  1. on console, go to IAM tab.

  2. filter to search your service account

    (if it does not appear, that means it has no prior associations with any roles)

  3. click on edit.

  4. click on Add Another role

  5. select a role at random.

  6. you will notice a small tab on right asking to test changes, click on it.

  7. it opens a new tab, where you see 2 buttons, View Policy Diff & View Permission Diff.

  8. Click either!

That shall do it for you!

Only catch is, the Service account shall have at-least one role associated with it already.

AppleCiderGuy
  • 1,249
  • 1
  • 9
  • 16