Properly Granting Users Access to Google Cloud Platform Service Accounts Using the Cloud SDK CLI

Question

Given a Google Cloud Platform (GCP) service account $GCP_SERVICE_ACCOUNT_NAME, what is the proper way to grant users the:

• permissions to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME
• permission to administer $GCP_SERVICE_ACCOUNT_NAME

using the GCP Cloud SDK (gcloud) instead of this page in the console?

In other words, if $GCP_SERVICE_ACCOUNT_NAME was created within GCP project $GCP_PROJECT_NAME:

gcloud iam service-accounts create $GCP_SERVICE_ACCOUNT_NAME \
--description=$GCP_SERVICE_ACCOUNT_DESCRIPTION \
--display-name=$GCP_SERVICE_ACCOUNT_NAME

#=>

Created service account [$GCP_SERVICE_ACCOUNT_NAME].

and was granted permissions through some curated role:

gcloud projects add-iam-policy-binding $GCP_PROJECT_NAME \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com" \
--role=$GCP_CURATED_ROLE

#=>

Updated IAM policy for project [$GCP_PROJECT_NAME].
bindings:
. . .
- members:
  . . .
  - serviceAccount:$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com
  role: $GCP_CURATED_ROLE
  . . .
. . .
etag: . . .
version: 1

what gcloud group(s) and command would grant users the permissions to deploy jobs & virtual machines with and the permission to administer $GCP_SERVICE_ACCOUNT_NAME?

The official GCP documentation for creating a service account using gcloud, found here, suggests an add-iam-policy-binding command that would "allow users to impersonate the service account":

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME" \
--role="roles/iam.serviceAccountUser"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

with:

gcloud config list account --format="value(core.account)"

#=>

$GCP_USER_NAME

Does this mean that $GCP_USER_NAME is able to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME, administer $GCP_SERVICE_ACCOUNT_NAME or both?

Answer 1

Binding the roles/iam.serviceAccountUser curated role grants $GCP_USER_NAME_ALPHA the permissions to deploy jobs and virtual machines with $GCP_SERVICE_ACCOUNT_NAME:

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME_ALPHA" \
--role="roles/iam.serviceAccountUser"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME_ALPHA
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

Binding the roles/iam.serviceAccountAdmin curated role grants $GCP_USER_NAME_BETA the permission to administer $GCP_SERVICE_ACCOUNT_NAME:

gcloud iam service-accounts add-iam-policy-binding \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com \
--member="user:$GCP_USER_NAME_BETA" \
--role="roles/iam.serviceAccountAdmin"

#=>

Updated IAM policy for serviceAccount [$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com].
bindings:
- members:
  - user:$GCP_USER_NAME_BETA
  role: roles/iam.serviceAccountAdmin
etag: . . .
version: 1

If $GCP_SERVICE_ACCOUNT_NAME was created using the console (here) instead of gcloud, bindings can still be verified with:

gcloud iam service-accounts get-iam-policy \
$GCP_SERVICE_ACCOUNT_NAME@$GCP_PROJECT_NAME.iam.gserviceaccount.com

#=>

bindings:
- members:
  - user:$GCP_USER_NAME_BETA
  role: roles/iam.serviceAccountAdmin
- members:
  - user:$GCP_USER_NAME_ALPHA
  role: roles/iam.serviceAccountUser
etag: . . .
version: 1

The official GCP docs. do mention both roles here, but don't use the same language found in the Service Account creation portion of the console. There also is not an "Equivalent COMMAND LINE" dialog on this page.