get-iam-policy/set-iam-policy also does the same following the read-modify-write pattern.
So, what is the basic difference between both. When to use one over other?
I have been reading - https://cloud.google.com/iam/docs/overview#permissions
what permissions are required to run these commands? I get permissions error for add-iam-policy-binding but get/set-iam-policy works fine using a serviceaccount.
Once I understand it, objective is to create a group, add user to it. To assign permissions to group, create a role and add binding with project. Here, I am not sure how creating a role binding would give access to group? Also how to achieve the later part?
Thanks
add-iam-policy-binding is some sugar to simplify read-modify-write in one user step. When the service was introduced, it was different to the other services in using this mechanism and add was added by way of presenting a method that was more conventional.
add is limited to one identity*role binding at a time. But, it may (?) retry if it can't make the change (if the etag has changed).Whereas you can make multiple changes with get then set.
Beneath the covers, I assume(d), add does the get-modify-write dance for you so, I'm surprised that you can't use the same account to get, set and add. Please include the commands you ran and the output.
Groups are created in Google Groups and I assume Google Identity. Rather than prefix identities with user: or serviceAccount:, you'd then use group: (if I recall correctly).
Update the URL you're using is a definitive overview. I just checked it and group: is correct.
You can gcloud ... --log-http to have the CLI show you its working (underlying REST calls) and this should show add being decomposed into a get followed by a set. If it doesn't, it's achieving this some other way.