GCP IAM: Granting a role to a service account while/after creating it via python API

Question

Goal:
Using python, I want to create a service account in a project on the Google Cloud Platform and grant that service account one role.

Problem:
The docs explain here how to grant a single role to the service account. However, it seems to be only possible by using the Console or the gcloud tool, not with python. The alternative for python is to update the whole IAM policy of the project to grant the role for the single service account and overwrite it (described here). However, overwriting the whole policy seems quite risky because in case of an error the policy of the whole project could be lost. Therefore I want to avoid that.

Question:
I'm creating a service account using the python code provided here in the docs. Is it possible to grant the role already while creating the service account with this code or in any other way?

John Hanley John Hanley · Accepted Answer · 2021-11-05T19:51:39

Creating a service account, creating a service account key, downloading a service account JSON key file, and granting a role are separate steps. There is no single API to create a service account and grant a role at the same time.

Anytime you update a project's IAM bindings is a risk. Google prevents multiple applications from updating IAM at the same time. It is possible to lock everyone (users and services) out of a project by overwriting the policy with no members.

I recommend that you create a test project and develop and debug your code against that project. Use credentials that have no permissions to your other projects. Otherwise use the CLI or Terraform to minimize your risks.

The API is very easy to use provided that you understand the API, IAM bindings, and JSON data structures.

GCP IAM: Granting a role to a service account while/after creating it via python API

2 Answers