gcloud-iam

List IAM grantable roles for a resource

$ gcloud iam list-grantable-roles [resource]

$ gcloud iam roles create [role_name] --[organization|project] [organization|project_id] --file [path/to/role.yaml]

$ gcloud iam service-accounts create [name]

$ gcloud iam service-accounts add-iam-policy-binding [service_account_email] --member [member] --role [role]

$ gcloud iam service-accounts set-iam-policy [service_account_email] [policy_file]

$ gcloud iam service-accounts keys list --iam-account [service_account_email]

gcloud iam [arguments] [options]

Examples of common s and their typical usage:
roles : Manage custom IAM roles.
service-accounts : Manage service accounts and their keys.
policies : Manage IAM policies on resources.
workload-identity-pools : Manage Workload Identity Federation pools.

--format=FORMAT
    Sets the output format, e.g., 'json', 'yaml', 'table', 'text'. Crucial for scripting.

--project=PROJECT_ID
    The Google Cloud project ID or number to operate on. Essential for scoping IAM changes.

--impersonate-service-account=SERVICE_ACCOUNT_EMAIL
    The service account email to use for authentication, useful for automated tasks.

--log-http
    Shows the HTTP requests and responses made by the command for debugging.

--quiet | -q
    Suppresses user prompts, making commands suitable for non-interactive scripts.

--account=ACCOUNT
    The user account or service account to use for authentication instead of the default.

The gcloud iam is not a single executable but a powerful command group within the gcloud CLI, dedicated to managing Google Cloud Identity and Access Management (IAM) resources directly from the command line. IAM is a cornerstone Google Cloud service that defines who (identity) has what access (role) to which resource, ensuring granular control over cloud assets.

This command group provides an extensive interface for interacting with various IAM components, including custom roles, service accounts, service account keys, and IAM policies. Users can seamlessly create, update, delete, and list these resources, as well as manage the binding of members to roles on different Google Cloud resources like projects, folders, or organizations. It is indispensable for automating IAM configurations, scripting access control changes, and integrating security practices into CI/CD pipelines. The gcloud iam commands significantly simplify complex IAM operations, enabling administrators and developers to maintain precise control over resource access across their Google Cloud environments.

Using gcloud iam requires proper authentication and sufficient IAM permissions for the operations being performed (e.g., iam.roles.create, iam.serviceAccounts.delete, resourcemanager.projects.setIamPolicy).

Changes to IAM policies, especially complex ones, might experience a short propagation delay across Google Cloud services before becoming fully effective. When updating policies, be cautious with commands like set-iam-policy as they replace the entire policy; prefer add-iam-policy-binding or remove-iam-policy-binding for incremental changes to avoid unintended overwrites.

• Creating and managing custom IAM roles for specific organizational needs.
• Automating the creation, deletion, and management of service accounts for applications and services.
• Granting or revoking granular permissions at the project, folder, or organization level.
• Scripting policy updates and auditing IAM configurations across resources.
• Managing Workload Identity Federation for external identities.

Operations within gcloud iam generally require specific IAM permissions:

• For roles: iam.roles.create, iam.roles.delete, iam.roles.update.
• For service accounts: iam.serviceAccounts.create, iam.serviceAccounts.delete, iam.serviceAccountKeys.create.
• For policies on projects: resourcemanager.projects.getIamPolicy, resourcemanager.projects.setIamPolicy. Similar permissions exist for folders and organizations.

The gcloud iam command group evolved as Google Cloud's Identity and Access Management capabilities matured, moving from simpler access control lists to a highly granular and flexible permission system. Its initial release provided core functionalities for managing policies and service accounts. Over time, it expanded significantly with new subcommands to support advanced features like custom roles, Workload Identity Federation, and robust service account key management. Its development mirrors the increasing demand for detailed cloud resource access control, continuously receiving updates and improvements as part of the broader gcloud CLI lifecycle, ensuring a consistent and powerful interface for identity management.

gcloud auth(1), gcloud projects(1), gcloud organizations(1), gcloud beta(1), gcloud alpha(1)