如何在 GCP 中列出包含给定权限的所有 IAM 角色

Question

After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.

At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles . I search for the permission, then scroll up to the see the role name and all the other permissions in that role.

It works but is slow for what must be a common task.

Is there a better web page or a gcloud api command that would work better.

Answer 1

The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.

In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:

gcloud iam roles describe roles/iam.roleViewer

The command will output:

description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer

AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.

Answer 2

Based on GCP documentation one can check the pre-defined roles given a permission