gcloud-iam

List IAM grantable roles for a resource

$ gcloud iam list-grantable-roles [resource]

$ gcloud iam roles create [role_name] --[organization|project] [organization|project_id] --file [path/to/role.yaml]

$ gcloud iam service-accounts create [name]

$ gcloud iam service-accounts add-iam-policy-binding [service_account_email] --member [member] --role [role]

$ gcloud iam service-accounts set-iam-policy [service_account_email] [policy_file]

$ gcloud iam service-accounts keys list --iam-account [service_account_email]

gcloud iam SUBCOMMAND [RESOURCE] [GLOBAL-FLAG …]

--account
    Google Cloud account to use for invocation.

--configuration
    Active configuration to use.

--flags-file
    File path of Google Cloud CLI flags.

--flatten
    Flatten names of subfields (JSON output).

--format
    Output format (e.g., table, json, yaml).

--help
    Display detailed help.

--impersonate-service-account
    Impersonate service account for this command.

--log-http
    Log all HTTP server interactions.

--project
    ID of the project to apply update to.

--quiet
    Disable most output and prompts.

--trace-token
    Trace token for Cloud Logging.

--user-output-enabled
    Print user intended output to stdout.

--verbosity
    Verbosity level: debug, info, warning, error, critical.

--version
    Show version and exit.

The gcloud iam command group is part of the Google Cloud CLI (Command Line Interface), a powerful tool for interacting with Google Cloud Platform (GCP) services. It provides commands to manage Identity and Access Management (IAM) resources, which control access to GCP projects, APIs, and resources.

Key functionalities include creating, listing, updating, and deleting service accounts; generating and managing service account keys; setting, getting, and testing IAM policies; and verifying permissions. IAM ensures least-privilege access, supporting roles like Owner, Editor, Viewer, and custom roles.

For example, administrators use it to grant fine-grained permissions without sharing user credentials. It integrates with other gcloud groups like compute, storage, and container for resource-specific IAM. Authentication is required via gcloud auth login or service account keys.

This command is essential for DevOps, security teams, and developers automating access control in CI/CD pipelines or infrastructure as code. Always use the principle of least privilege to minimize security risks. (187 words)

Requires Google Cloud SDK installed and authenticated. Some operations need project owner permissions. Rate limits apply to API calls. Use --dry-run where available to preview changes.

service-accounts: Create/list/delete service accounts.
service-account-keys: Create/list/delete keys.
policies: Set/get/list IAM policies.
workload-identity-policies: Manage Workload Identity.
test-iam-permissions: Test permissions on resources.

gcloud iam service-accounts list: List service accounts.
gcloud projects add-iam-policy-binding PROJECT --member=user:email --role=roles/ROLE: Add policy binding.

Introduced in Google Cloud SDK v100+ (2015) alongside IAM launch. Evolved with GCP IAM features like custom roles (2017), policy bindings improvements, and integration with Workload Identity Federation (2020). Actively maintained for new GCP services.

gcloud auth(1), gsutil iam(1), id(1)