How do I list all IAM users for my Google Cloud Project

25
votes

I'd like to be able to list all users and service account associated with my projects (preferably using the gcloud CLI tool, but happy to make an API call if needs be).

I can easily list all the service accounts associated with a project using this, but how can list all the users too? I'd expect something like the following, but I cannot see anything in the doco:

gcloud beta iam users list
6
google-cloud-platformgcloudgoogle-cloud-iam

6 Answers

36
votes

List all service accounts in a project

The following command lists all service accounts associated with a project:

$ gcloud iam service-accounts list

NAME                                    EMAIL
Compute Engine default service account  [email protected]
dummy-sa-1                              dummy-sa-1@MY_PROJECT.iam.gserviceaccount.com

List all Users and Service accounts in a project with their IAM roles

If you would like to list all users/service-accounts who have been granted any IAM roles on a specified project, you can use this command:

$ gcloud projects get-iam-policy MY_PROJECT

bindings:
- members:
  - serviceAccount:[email protected]
  - user:[email protected]
  role: roles/editor
- members:
  - user:[email protected]
  - user:[email protected]
  role: roles/owner
etag: ARBITRARY_ETAG_HERE
version: 1

Formatting the output

gcloud supports formatting the output as json and lot of other customizations as needed, which might be easier to parse in certain cases or print only the information you need.

Examples:

# Prints the output as json instead of the default yaml format
$ gcloud projects get-iam-policy MY_PROJECT --format=json

# Display just the bindings in json format
$ gcloud projects get-iam-policy MY_PROJECT --format='json(bindings)'

# Display the bindings in a flattened format
$ $ gcloud projects get-iam-policy MY_PROJECT --format='flattened(bindings)'
6
votes

list service accounts

$ gcloud iam service-accounts list

list members of roles for the project

$ gcloud projects get-iam-policy [project]

add/affect user to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="user:[email protected]" \
--role="roles/iam.serviceAccountUser"

Remove user:

$ gcloud projects remove-iam-policy-binding [project] \
--member="user:[email protected]" \
--role="roles/iam.serviceAccountUser"

add/affect google-group to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="group:[email protected]" \
--role="roles/storage.admin"
4
votes

Use the following command to get a clear view of all members belonging to a given project:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="table(bindings.members)"
2
votes

The following command will list all non-service accounts from the entire GCP organization:

gcloud organizations get-iam-policy ORGANIZATION_ID | grep user\: | sort | uniq

To get the organizaton ID

gcloud organizations list
2
votes

You can use search-all-iam-policies to list all the IAM policies for a project/folder/organization, and grep the users:

$ gcloud asset search-all-iam-policies --scope=projects/123 | grep user:

This will show you not only the users who are granted roles on the project itself but also the user who are granted roles in sub resources like compute instances or bigquery datasets.

You can change the scope to organizations/123 to search in the entire organization as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

More details in another post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

1
votes

Unfortunately, there is no way to list all users using the

gcloud iam . . .

command tree; however, we are able to list all accounts under a Google Cloud Platform (GCP) project ($GCP_PROJECT_NAME) through the

gcloud projects get-iam-policy

command tree instead:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="value(bindings.members)" \
--sort-by=bindings.members | uniq

#=>

. . .
serviceAccount:$SOME_SERVICE_ACCOUNT
. . .
user:$SOME_USER
. . .

which includes piping any duplicate results though uniq.

Note: the above command is guaranteed to list all accounts associated with $GCP_PROJECT_NAME because every account has to have at least one role:

gcloud projects add-iam-policy-binding $ANOTHER_USER \
--member="user:${ANOTHER_USER}"

#=>

ERROR: (gcloud.projects.add-iam-policy-binding) argument --role: Must be specified.

If necessary, we can make use of the .flatten(), .slice() and .split() gcloud projections to get rid of the serviceAccount: and user: prefixes:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uinq

#=>

. . .
$SOME_SERVICE_ACCOUNT
. . .
$SOME_USER
. . .

More on gcloud projections here.

We can also filter this result using the --filter flag:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--filter="user" \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uniq

#=>

. . .
$SOME_USER
. . .

and:

gcloud projects get-iam-policy $GCP_PROJECT_NAME \
--filter="serviceAccount" \
--flatten="bindings[].members" \
--format="value(bindings.members.split(':').slice(1:).flatten())" \
--sort-by=bindings.members | uniq

#=>

. . .
$SOME_SERVICE_ACCOUNT
. . .