23

Following gcloud documentation

gcloud iam service-accounts

add an IAM policy binding to an IAM service account

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud iam service-accounts add-iam-policy-binding \
 test-proj1@example.domain.com \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

gcloud projects add-iam-policy-binding

add IAM policy binding for a project

https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud projects add-iam-policy-binding \
 <PROJECT_ID> \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

 gcloud organizations add-iam-policy-binding

add IAM policy binding for an organization

https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud organizations add-iam-policy-binding \
 test-proj1@example.domain.com \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

Does anyone knows if those 3 commands are actually the same ?

Thanks in advance for your help.

Jonathan.

Abrar Ahmed
  • 124
  • 1
  • 3
  • 14
Jonathan Chevalier
  • 993
  • 1
  • 9
  • 18
  • 1
    I believe they are all distinct (and there is likely yet another command associated with folders). The first defines what role a given identity can have associated with working with a service account as a resource. The second says that the given identity will have the role for ALL resources owned by the project. The third says that the given identity will have the role for ALL resources owned by projects eventually owned by the organization. – Kolban May 18 '20 at 17:57
  • Yes exactly for folder; but I did not put it since the example clearly use a **folder id** which make sens in that case unlike those examples above who do not use corresponding lvl ID (project, folder, organization) – Jonathan Chevalier May 18 '20 at 18:11
  • I don't think your 2nd example is correct. You had `gcloud projects add-iam-policy-binding test-proj1@example.domain.com ...` but that is a wrong parameter. It should be a PROJECT_ID. So, the right command should have been `gcloud projects add-iam-policy-binding ...` By the way, is the output of this 2nd example visible in GCP Console? I can't find it. – Vincent Yin Feb 13 '21 at 19:12

1 Answers1

31

You have to read the command like this

gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

The confusion comes from the duality of the service account (no quantum stuff, I promise!). Service account can be an identity and a resource.

You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.

In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resources of the project, the service account itself if it belong to this project) and organisation.

Zoe
  • 27,060
  • 21
  • 118
  • 148
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • 8
    Google's docs was so confusing, the word duality in your answer cleared up my confusion. Thanks for the amazing explanation! – Anirudh Murali Jul 05 '20 at 20:47