I'm creating Node.js server that uses Google Oauth2 for authenticating users. I have my project in my organization created in Google Cloud Platform. And I've setup Oauth2, so only users of my organization can be authorized to use the service. All users will be described as IAM members of project, and so everyone will have a specific role and permissions granted for their role. Users now can be authenticated and authorized in my app with Oauth2 (only users of my organization). The problem is I have no any clue how to retrieve their roles in my project from IAM. At first I used to think I only need to pass specific scopes in authorization methods (I am using Passport.js and GoogleStrategy). But then I realized that it only can be done after user have been authorized with next API request (is that even right?). I've read IAM API documentation many times but only ended up with methods that allows me to retrieve arrays of presets of roles or policies or testable permissions or something created and used in my project. But I can't see any method allowing me to ask a service to retrieve a specific role and permissions for user (by email or google id) and send it back to me, so my Node server gets to know what this user is allowed to do. Maybe I need to dig somewhere else..
You can use CloudResourceManager service to retrieve a project's IAM policy. This will include project-specific (not inherited) role bindings: accounts (including user's) and their IAM roles:
https://cloud.google.com/resource-manager/reference/rest/v3/projects/getIamPolicy