If I go to "IAM & admin" in the google cloud console and select the "IAM" tab on the left I see a list of users (username@mydomain).
How do I list these users with gcloud? And how do I see what access a user has been given with gcloud?
I have not been able to find out how to do this in the terrible google docs.
I believe you'll find some answers on this Stack Overflow thread. Good luck! The docs took me a bit to grok, too. Usually assembling search engine strings like gcloud [title of console tool i was trying to find a CLI version of] seems to work.
EDIT, 3 years later!
The command you're looking for is get-iam-policy:
gcloud projects get-iam-policy <project-id> # Example: gcloud projects get-iam-policy my-fancy-project This is assuming, of course, that the IAM permissions are assigned to the users at the project level. You may also want to use get-ancestors-iam-policy, which includes project AND inherited roles from the folder and org levels:
gcloud projects get-ancestors-iam-policy <project-id> # Example: gcloud projects get-ancestors-iam-policy my-fancy-project EDIT 2: Props to @jelle-den-burger for following up about the get-ancestors-iam-policy command, added in v311.0.0 in Sept 2020.
gcloud returns might not be the same.
The initial question was asking about permissions, but I can only see answers listing roles and there is a difference between roles and permissions. For the sake of future visitors (like me :) ) I will add an additional command.
Permissions in GCP are allowing access to the specific type of the resource and role is a group of such permissions. e.g. Editor role has all the permissions that Viewer role has and also additional ones allowing to manage networking, instances,etc.
compute.instances.create is a permission allowing to create an instance. roles/Editor is a role containing this permission. Assigning role gives a permission for the user to the resource.
Listing roles can be done by commands mentioned by Jelle den Burger or ingernet ( gcloud projects get-ancestors-iam-policy <project-id> ), but if you want to know more specifically what kind of permissions does the user have, you need to dig deeper. With my short research, I was able to find only this command describing what permissions does a role contain:
gcloud iam roles describe [ROLE]
example gcloud iam roles describe roles/spanner.databaseAdmin
So you would have to write a short shell script to connect those two commands, first one listing user roles, second one listing permissions of the roles. The outcome will be a list of permissions user has.
The accepted answer is correct and you do indeed get the permissions. But when you look into the Google Cloud Console online, there might be many more permissions applied, coming from the Folder & Organizations level.
Luckily Google thought about this and they also offer a get-ancestors-iam-policy command. You use it as such:
gcloud projects get-ancestors-iam-policy <project-id> # Example: gcloud projects get-ancestors-iam-policy my-fancy-project It will returns all permissions: on the Project, Folder, and Organization level, just as you would in the Google Cloud Console.
jq is very helpful if you want to know which permissions a particular entity has in a project policy without reading what can be a large document.
gcloud projects get-iam-policy my-fancy-project --format=json | jq '.bindings[] | select(.members[] | contains("serviceAccount:theServiceAccount")) | .role'
gcloud projects get-iam-policy my-fancy-project --format=jsonjq..bindings[]select(.members[] | contains("serviceAccount:theServiceAccount")).roleSeveral answers here also explain the difference between a project's policy and how permissions are granted from ancestors such as folders and orgs. You should read those, too!
The query for policies including ancestors would be
gcloud projects get-ancestors-iam-policy my-fancy-project --format=json | jq '.[].policy.bindings[] | select(.members[] | contains("serviceAccount:theServiceAccount")) | .role'
I come up with 2 bash functions based on @Mr.TK's answer, to list permissions based on roles and print only that specific role. I don't have ancestors here so please feel free to query ancestors' permissions according to other answers.
gcloud-get-roles() { gcloud projects get-iam-policy <your-fancy-project> | grep "role:" | awk '{print $2}' } gcloud-list-permissions() { allPerm= if [ -z "$@" ]; then echo "Listing all permissions" allPerm=true else echo "Listing permissions containing $@" fi while IFS= read -a role; do if [[ "$role" =~ ^projects/.* ]] || [[ "$role" =~ ^organizations/.* ]]; then echo "Wrong role: $role, should not start with 'projects/' or 'organizations/" continue fi if [ "$allPerm" == "true" ]; then echo "Role: $role" gcloud iam roles describe "$role" | grep -E "^- " else if gcloud iam roles describe "$role" | grep "$@" > /dev/null; then echo "Role: $role" gcloud iam roles describe "$role" | grep "$@" fi fi done <<< "$(gcloud-get-roles)" } Example output with arguments(you can of course use without, which will list all permissions; you can then grep in that)
$ gcloud-list-permissions iap Listing permissions containing iap Wrong role: projects/xxx, should not start with 'projects/' or 'organizations/ Role: roles/editor - iap.projects.getSettings - iap.projects.updateSettings - iap.tunnelDestGroups.create - iap.tunnelDestGroups.delete - iap.tunnelDestGroups.get - iap.tunnelDestGroups.list - iap.tunnelDestGroups.update - iap.web.getSettings - iap.web.updateSettings ... It will take a while to get results as roles are passed one by one to the 2nd function, but at least we save manual work.
