1

I'm setting up a service account to access a CloudSQL DB from GKE. I've created both the GSA and the KSA, and have executed the command to associate the two (gcloud iam service-accounts add-iam-policy-binding...). How do I inspect the bindings to ensure that my invocation has succeeded? I would have thought there would be a command like gcloud iam service-accounts list-iam-policy-binding ... to display the status.

  • Do you mean **gcloud iam service-accounts get-iam-policy**? With IAM you can add a binding to a policy. To check (read) the bindings, read the policy and process each binding. – John Hanley Dec 02 '21 at 03:07
  • Yes! I wonder why that option is not listed in the help... – Lowell Boone Dec 02 '21 at 16:19

1 Answers1

2

A service account can be treated as a resource or an identity. This answer applies to service accounts as a resource.

Access control for Google Cloud resources is managed by Identity and Access Management (IAM) policies, which are attached to resources. Each resource can have only one IAM policy.

IAM resource policy manages permissions granted to a member for a resource. These are called bindings. A binding consists of a member, role, and optionally a condition.

The CLI command gcloud iam service-accounts add-iam-policy-binding adds a binding to a policy.

To view the bindings assigned to a resource, read the policy. The command gcloud iam service-accounts get-iam-policy reads the policy.

John Hanley
  • 4,287
  • 1
  • 9
  • 20