3

I recently read about conditions in GCP and how one can use them to add logic to a role. I would like to give a user a role to assign roles to service accounts. But if I do that, the user will also be able to invite other users to the project and that I do not want.

I experimented with things like:

gcloud projects add-iam-policy-binding <project> --member="user:useremail@gmail.com" --role="roles/accesscontextmanager.policyEditor" --condition='title="allow_admin_service_user_only",expression=resource.name.startsWith("iam.googleapis.com/projects/project/serviceAccounts")
gcloud projects add-iam-policy-binding <project> --member="user:useremail@gmail.com" --role="roles/iam.roleAdmin" --condition='title="allow_admin_service_user_only",expression=resource.name.startsWith("iam.googleapis.com/projects/project/serviceAccounts")

Tried multiple other roles as well but they all fail with the same exact error:

ERROR: (gcloud.projects.add-iam-policy-binding) User [user@gmail.com] does not have permission to access projects instance [project:setIamPolicy] (or it may not exist): Policy update access denied.

Question is: Is it possible to allow editing/adding/revoking roles only on service accounts? and if yes, how?

  • I do not know the answer to creating a condition on a service account. However, if you could your strategy would fail. The condition allows the user to change IAM roles on the service account which means they could then use the service account to bypass the condition you are trying to enforce. Depending on where the condition is placed (ORG, Folder, Project) the service account might then be able to remove the condition. – John Hanley Dec 14 '21 at 00:12

1 Answers1

1

The error that you are facing, in most of the cases, is caused because the required API is not enabled for your GCP’s Project. To solve that, first of all, you are going to need an API Key. There are 3 options to get it:

1.- Ask a security admin to create an API key for you.

2.- Ask a security admin to grant you access to the project so that you can create an API key in the same project that the API is associated with.

3.- Ask a security admin to grant you access to enable the API in your own Google Cloud project so that you can create an API key.

Once you have it, follow the next steps:

1.- In the Cloud Console, go to APIs & services for your project.

2.- On the Library page, click Private APIs. If you don't see the API listed, that means you haven't been granted access to enable the API.

3.- Click the API you want to enable. If you need help finding the API, use the search field.

4.- In the page that displays information about the API, click Enable.

The following URL has GCP’s official documentation for that process Enabling an API in your Google Cloud project. Plus, I recommend you to ensure that you have the Security Admin role for IAM.

Now, talking about the roles for the Service Accounts, it looks like you already tested all the existing roles and none of them meets your needs. So, you can try with Custom Roles, which means roles designed in detail by you. To create a custom role, you can access right in the screen that shows up after you created the Service Accounts; in the “Select Role” pick list field, select the “Manage Roles” option, and in the following screen you are going to see the “+Create Role” button in blue text. There you are going to be able to create a custom role that meets your requirements. In the following URLs, I’m sharing with you GCP’s official information to understand Service Accounts and Roles.