Search code examples
restgoogle-cloud-platformamazon-iamservice-accounts

Adding roles to service accounts on Google Cloud Platform using REST API


I want to create a service account on GCP using a python script calling the REST API and then give it specific roles - ideally some of these, such as roles/logging.logWriter.

First I make a request to create the account which works fine and I can see the account in Console/IAM.
Second I want to give it the role and this seems like the right method. However, it is not accepting roles/logging.logWriter, saying HttpError 400, "Role roles/logging.logWriter is not supported for this resource.">
Conversely, if I set the desired policy in console, then try the getIamPolicy method (using the gcloud tool), all I get back is response etag: ACAB, no mention of the actual role I set. Hence I think these roles refer to different things.

Any idea how to go about scripting a role/scope for a service account using the API?


Solution

  • You can grant permissions to a GCP service account in a GCP project without having to rewrite the entire project policy!

    Use the gcloud projects add-iam-policy-binding ... command for that (docs).

    For example, given the environment variables GCP_PROJECT_ID and GCP_SVC_ACC the following command grants all privileges in the container.admin role to the chosen service account:

    gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
        --member=serviceAccount:${GCP_SVC_ACC} \
        --role=roles/container.admin
    

    To review what you've done:

    $ gcloud projects get-iam-policy $GCP_PROJECT_ID \
        --flatten="bindings[].members" \
        --format='table(bindings.role)' \
        --filter="bindings.members:${GCP_SVC_ACC}"
    

    Output:

    ROLE
    roles/container.admin
    

    (or more roles, if those were granted before)

    Notes:

    • The environment variable GCP_SVC_ACC is expected to contain the email notation for the service account.
    • Kudos to this answer for the nicely formatted readout.