This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

multiple --role for `gcloud iam service-accounts add-iam-policy-binding`

Posted on 12-19-2023 10:53 AM
nick-youngblut
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

To add multiple IAM policies via gcloud, one must run multiple commands. For example:

```
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member='[MEMBER]' \
--role='[ROLE_1]'

gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member='[MEMBER]' \
--role='[ROLE_2]'
```

It would be much more efficient to allow for multiple `--role` parameters (or multiple values for `--role`).,

For example:

```
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member='[MEMBER]' \
--role='[ROLE_1]' \
--role='[ROLE_2]'
```

Or multiple values for the cli flag:

```
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT_EMAIL] \
--member='[MEMBER]' \
--role='[ROLE_1]' '[ROLE_2]'
```

2 4 875
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Greetings @nick-youngblut,

Thank you for your suggestion. You can file this as a feature request in Google Cloud's Issue Tracker

As a workaround, you can create a script instead. You can use the following code below (I have tested this and it worked):

1. Create the script - $ nano roles.sh

 

#!/bin/bash

# Define the service account email, change the xxxxx
SERVICE_ACCOUNT_EMAIL="xxxxx"

# Define the roles that you want in an array
roles=(
    "roles/editor"
    "roles/iam.serviceAccountUser"
)

# Loop through each role and assign it to the service account
for role in "${roles[@]}"; do
    gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_EMAIL \
        --role="$role" \
        --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL"
done

 

2. Add permission to the script file - $ chmod +x roles.sh

3. Execute the script - $ ./roles.sh

Please let me know if that was helpful. Thank you! 😃

0 Likes

Posted on --/--/---- --:-- AM
nick-youngblut
Bronze 4
Bronze 4
In response to lawrencenelson
Reply posted on --/--/---- --:-- AM

While a script can work, one must then write a script instead of a self-contained bash command. Also, one should check for errors in each iteration of the loop, which you do not include in your example; I'm guessing that many users would forget to include error checks, but such error checks can be built into `gcloud iam service-accounts add-iam-policy-binding` for multiple --role values.

0 Likes

Posted on --/--/---- --:-- AM
Piyaphart90
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

chmod +x roles.sh

0 Likes

Posted on --/--/---- --:-- AM
MSH
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

The executable can prompt you for things like dynamic conditions which throws a wrench in the scripting department.

0 Likes
Top Solution Authors
View all