3
  1. I cannot get my head around what is the difference between both. add-iam-policy-binding is binding a policy (defined in a role, including custom role) to an iam user (user, service account, group) for a project.

get-iam-policy/set-iam-policy also does the same following the read-modify-write pattern.

So, what is the basic difference between both. When to use one over other?

I have been reading - https://cloud.google.com/iam/docs/overview#permissions

  1. what permissions are required to run these commands? I get permissions error for add-iam-policy-binding but get/set-iam-policy works fine using a serviceaccount.

  2. Once I understand it, objective is to create a group, add user to it. To assign permissions to group, create a role and add binding with project. Here, I am not sure how creating a role binding would give access to group? Also how to achieve the later part?

Thanks

peacefulmember
  • 293
  • 2
  • 5
  • 14
  • I think you are confused about command names. There is **add-iam-policy-binding** but no **add-iam-policy**. The commands **set-iam-policy** is different than **add-iam-policy-binding**. Edit your question to use the correct command names. – John Hanley Aug 03 '21 at 23:22
  • @JohnHanley, thank you for swift reply. I am surely confused. So there is no get-iam-policy-binding command. Have edited question for better clarification. – peacefulmember Aug 04 '21 at 02:06

1 Answers1

4

add-iam-policy-binding is some sugar to simplify read-modify-write in one user step. When the service was introduced, it was different to the other services in using this mechanism and add was added by way of presenting a method that was more conventional.

add is limited to one identity*role binding at a time. But, it may (?) retry if it can't make the change (if the etag has changed).Whereas you can make multiple changes with get then set.

Beneath the covers, I assume(d), add does the get-modify-write dance for you so, I'm surprised that you can't use the same account to get, set and add. Please include the commands you ran and the output.

Groups are created in Google Groups and I assume Google Identity. Rather than prefix identities with user: or serviceAccount:, you'd then use group: (if I recall correctly).

Update the URL you're using is a definitive overview. I just checked it and group: is correct.

You can gcloud ... --log-http to have the CLI show you its working (underlying REST calls) and this should show add being decomposed into a get followed by a set. If it doesn't, it's achieving this some other way.

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • @DazWilikin, gotcha. So, add-iam-policy-binding and get-iam-policy/set-iam-policy achieve same results, where add is limited to one binding. I figured I was getting error because for add command I was using project-name instead of project-id. For #3 question, any thoughts on how to bind the role to the project giving access to the group created(able to achieve creating group) and what permissions are required to create the custom role at organization or to assign it to the project? I have created a service account to fulfill all these tasks. – peacefulmember Aug 04 '21 at 16:12
  • `add` ~== `get`+mutate+`set`, yes. – DazWilkin Aug 04 '21 at 17:13
  • For #3 you're going to want the equivalent of `gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=group:${GROUP_EMAIL} --roles=projects/${PROJECT_ID}/roles/${ROLE_ID}`. Where `GROUP_EMAIL` is the email address of the Google Group and `ROLE_ID` is the ID of the custom role. **NB** only create custom roles if you absolutely must; it's (strongly) preferable to use a set of predefined roles – DazWilkin Aug 04 '21 at 17:24
  • in my scenario I want to give all permissions to the member but to exclude some high level admin, org, security and similar permissions (don't know all of them yet). With predefined roles how can I achieve this? I could think of 1. creating custom role (which comes with drawback of maintaining and a long list of permissions in it, so have to split into multiple roles I guess as a role has a limit of 2500). – peacefulmember Aug 04 '21 at 18:03
  • OR 2. assign the editor role and remove permissions that I do not want to provide (probably looping through each permission) (again I do not how can I do it). Is there any other better way you have to suggest using predefined roles? Sorry, about all such questions, as I am pretty new to GCP. – peacefulmember Aug 04 '21 at 18:03
  • This is more of a consultative than programming question, so it's not best answered on Stack overflow and not in a long comment thread. You should be able to find constituent roles (instead of using the catch-all `editor`) to address the need. It's much better to use a long list of constituent roles than it is to define a custom role as you understand. If I've answered your question, please consider marking this as an answer to your question. That's how we get paid here ;-) – DazWilkin Aug 04 '21 at 18:40
  • What are constituent roles? Can you provide some guidelines or references? I would accept your answer as that answered my original question and more :-) – peacefulmember Aug 04 '21 at 19:13
  • See this list of roles (including the basic and predefined). Before IAM (~few years), there were only the basic roles. After IAM, the emphasis is on using predefined (and custom). Basic roles remain, partly for compatibility reasons. Instead of use the broad swath "editor", you would probably be better placed using an (extensive) list of predefined roles. https://cloud.google.com/iam/docs/understanding-roles. Perhaps the rule should be, use custom roles as a last resort. – DazWilkin Aug 04 '21 at 19:36