stackoom
  简体   繁体   中英

gcloud confusion around add-iam-policy-binding

 原文  2020-05-18 17:24:02       google-cloud-platform/ gcloud

Question

Following gcloud documentation

gcloud iam service-accounts

add an IAM policy binding to an IAM service account

https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud iam service-accounts add-iam-policy-binding \
 test-proj1@example.domain.com \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

gcloud projects add-iam-policy-binding

add IAM policy binding for a project

https://cloud.google.com/sdk/gcloud/reference/projects/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud projects add-iam-policy-binding \
 test-proj1@example.domain.com \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

gcloud organizations add-iam-policy-binding

add IAM policy binding for an organization

https://cloud.google.com/sdk/gcloud/reference/organizations/add-iam-policy-binding

Example section

To add an IAM policy binding for the role of 'roles/editor' to the service account 'test-proj1@example.domain.com', run:

gcloud organizations add-iam-policy-binding \
 test-proj1@example.domain.com \
 --member='serviceAccount:test-proj1@example.domain.com' \
 --role='roles/editor'

Does anyone knows if those 3 commands are actually the same?

Thanks in advance for your help.

Jonathan.

1 answers

solution1
 16  2020-05-18 20:02:39

You have to read the command like this

gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

The confusion comes from the duality of the service account (no quantum stuff, I promise.). Service account can be an identity and a resource.

You can grant someone to be editor on a service account and another one to be viewer of the service account -> Your first example, you grant the service account to be editor on itself. For example, it will be able to update its own description.

In your 2 other examples, you grant your service account (as an identity) to be editor on the resource project (all the resource of the project, the service account itself if it belong to this project) and organisation.

I hope it helps!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question suppress bindings output from gcloud projects add-iam-policy-binding command What is the source of this error? ERROR: (gcloud.run.services.add-iam-policy-binding) NOT_FOUND: Requested entity was not found How attach a GCP IAM policy to a resource with gcloud command tool? Error when trying to get-iam-policy gcloud gcloud pubsub on node.js - how to set IAM policy Unable to add iam policy binding to service account using Google deployment manager How to add IAM policy binding to a service account using Google Cloud Deployment Manager? How to add Gcloud consoles' IPs into organization policy? How we can add user under IAM in gcp through gcloud? in gcloud console iam how can I add roles to groups?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM