How do I list all IAM users for my Google Cloud Project

Question

I\'d like to be able to list all users and service account associated with my projects (preferably using the gcloud CLI tool, but happy to make

Answer 1

List all service accounts in a project

The following command lists all service accounts associated with a project:

$ gcloud iam service-accounts list

NAME                                    EMAIL
Compute Engine default service account  12345678-compute@developer.gserviceaccount.com
dummy-sa-1                              dummy-sa-1@MY_PROJECT.iam.gserviceaccount.com

List all Users and Service accounts in a project with their IAM roles

If you would like to list all users/service-accounts who have been granted any IAM roles on a specified project, you can use this command:

$ gcloud projects get-iam-policy MY_PROJECT

bindings:
- members:
  - serviceAccount:12345678-compute@developer.gserviceaccount.com
  - user:alice@foobar.com
  role: roles/editor
- members:
  - user:you@yourdomain.com
  - user:someoneelse@yourdomain.com
  role: roles/owner
etag: ARBITRARY_ETAG_HERE
version: 1

Formatting the output

gcloud supports formatting the output as json and lot of other customizations as needed, which might be easier to parse in certain cases or print only the information you need.

Examples:

# Prints the output as json instead of the default yaml format
$ gcloud projects get-iam-policy MY_PROJECT --format=json

# Display just the bindings in json format
$ gcloud projects get-iam-policy MY_PROJECT --format='json(bindings)'

# Display the bindings in a flattened format
$ $ gcloud projects get-iam-policy MY_PROJECT --format='flattened(bindings)'

Answer 2

The following command can give clear view of the MEMBERS of your Project within the GCP account : gcloud projects get-iam-policy PROJECT_ID --flatten="bindings[].members" --format="table(bindings.members)"

Answer 3

The following command will list all non-service accounts from the entire GCP organization:

gcloud organizations get-iam-policy ORGANIZATION_ID | grep user\: | sort | uniq

To get the organizaton ID

gcloud organizations list

Answer 4

list service accounts

$ gcloud iam service-accounts list

list members of roles for the project

$ gcloud projects get-iam-policy [project]

add/affect user to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser" 

Remove user:

$ gcloud projects remove-iam-policy-binding [project] \
--member="user:name@gmail.com" \
--role="roles/iam.serviceAccountUser"

add/affect google-group to a role

$ gcloud projects add-iam-policy-binding [project] \
--member="group:my_group@googlegroups.com" \
--role="roles/storage.admin"

Answer 5

You can use search-all-iam-policies to list all the IAM policies for a project/folder/organization, and grep the users:

$ gcloud beta asset search-all-iam-policies --scope=projects/123 | grep user:

This will show you not only the users who are granted roles on the project itself but also the user who are granted roles in sub resources like compute instances or bigquery datasets.

You can change the scope to organizations/123 to search in the entire organization as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.

More details in another post: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?