I'm setting up a service account to access a CloudSQL DB from GKE. I've created both the GSA and the KSA, and have executed the command to associate the two (gcloud iam service-accounts add-iam-policy-binding...
). How do I inspect the bindings to ensure that my invocation has succeeded? I would have thought there would be a command like gcloud iam service-accounts list-iam-policy-binding ...
to display the status.
A service account can be treated as a resource or an identity. This answer applies to service accounts as a resource.
Access control for Google Cloud resources is managed by Identity and Access Management (IAM) policies, which are attached to resources. Each resource can have only one IAM policy.
IAM resource policy manages permissions granted to a member for a resource. These are called bindings. A binding consists of a member, role, and optionally a condition.
The CLI command gcloud iam service-accounts add-iam-policy-binding adds a binding to a policy.
To view the bindings assigned to a resource, read the policy. The command gcloud iam service-accounts get-iam-policy reads the policy.