gcloud confusion around add-iam-policy-binding

11
votes

Following gcloud documentation

gcloud iam service-accounts

add an IAM policy binding to an IAM service account

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud iam service-accounts add-iam-policy-binding \
 [email protected] \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

gcloud projects add-iam-policy-binding

add IAM policy binding for a project

https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud projects add-iam-policy-binding \
 [email protected] \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

 gcloud organizations add-iam-policy-binding

add IAM policy binding for an organization

https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account '[email protected]', run:

gcloud organizations add-iam-policy-binding \
 [email protected] \
 --member='serviceAccount:[email protected]' \
 --role='roles/editor'

Does anyone knows if those 3 commands are actually the same ?

Thanks in advance for your help.

Jonathan.

1
google-cloud-platformgcloud
I believe they are all distinct (and there is likely yet another command associated with folders). The first defines what role a given identity can have associated with working with a service account as a resource. The second says that the given identity will have the role for ALL resources owned by the project. The third says that the given identity will have the role for ALL resources owned by projects eventually owned by the organization.Kolban
Yes exactly for folder; but I did not put it since the example clearly use a folder id which make sens in that case unlike those examples above who do not use corresponding lvl ID (project, folder, organization)Jonathan Chevalier
I don't think your 2nd example is correct. You had gcloud projects add-iam-policy-binding [email protected] ... but that is a wrong parameter. It should be a PROJECT_ID. So, the right command should have been gcloud projects add-iam-policy-binding <PROJECT_ID> ... By the way, is the output of this 2nd example visible in GCP Console? I can't find it.Vincent Yin

1 Answers

16
votes

You have to read the command like this

gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

The confusion comes from the duality of the service account (no quantum stuff, I promise!). Service account can be an identity and a resource.

You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.

In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resource of the project, the service account itself if it belong to this project) and organisation.

I hope it helps!