Following gcloud documentation
add an IAM policy binding to an IAM service account
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:
gcloud iam service-accounts add-iam-policy-binding \
test-proj1@example.domain.com \
--member='serviceAccount:test-proj1@example.domain.com' \
--role='roles/editor'
add IAM policy binding for a project
https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:
gcloud projects add-iam-policy-binding \
test-proj1@example.domain.com \
--member='serviceAccount:test-proj1@example.domain.com' \
--role='roles/editor'
add IAM policy binding for an organization
https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding
To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:
gcloud organizations add-iam-policy-binding \
test-proj1@example.domain.com \
--member='serviceAccount:test-proj1@example.domain.com' \
--role='roles/editor'
Does anyone knows if those 3 commands are actually the same?
Thanks in advance for your help.
Jonathan.
You have to read the command like this
gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>
The confusion comes from the duality of the service account (no quantum stuff, I promise.). Service account can be an identity and a resource.
You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.
In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resource of the project, the service account itself if it belong to this project) and organisation.
I hope it helps!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.