← IAM423 / 640

hardgcloud

Grant workload identity access so a Kubernetes SA can impersonate a Google SA

command

gcloud iam service-accounts add-iam-policy-binding SA_EMAIL --role roles/iam.workloadIdentityUser --member MEMBER

also accepted

gcloud iam service-accounts add-iam-policy-binding

Command breakdown

Part of the Google Cloud CLI (gcloud) — IAM category.

gcloudiamservice-accountsadd-iam-policy-bindingSA_EMAIL--roleroles/iam.workloadIdentityUser--memberMEMBER

Flag	Purpose
`--role`	Boolean flag
`--member`	Boolean flag

More IAM commands

Create a custom IAM role from a YAML definition filegcloud iam roles create devReadRole --project=my-project --file=role-definition.yaml
List all custom IAM roles defined in a specific projectgcloud iam roles list --project PROJECT_ID
Show the permissions and metadata for a specific IAM rolegcloud iam roles describe ROLE_ID
Create a custom IAM role in a project from a YAML permissions filegcloud iam roles create ROLE_ID --project PROJECT_ID --file YAML_FILE
Add one or more permissions to an existing custom IAM role in a projectgcloud iam roles update ROLE_ID --project PROJECT_ID --add-permissions PERMISSION
Copy an existing IAM role to create a new custom role in a destination projectgcloud iam roles copy --source SOURCE_ROLE --destination DEST_ROLE --dest-project PROJECT_ID
Revoke a specific IAM role from a member on a projectgcloud projects remove-iam-policy-binding PROJECT_ID --member MEMBER --role ROLE
Replace the entire IAM policy on a project with a policy defined in a JSON filegcloud projects set-iam-policy PROJECT_ID POLICY_FILE

See all IAM commands →

← prev next →

More IAM commands →Full cheat sheet →

Test your recall — not just your reading.

Practice with interactive quiz →