In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.
I then ran this command:
gcloud iam service-accounts get-iam-policy my-service-account@mydomain.iam.gserviceaccount.com
and saw this output:
etag: ACAB
According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".
How do I list the roles associated with a service account?
EDIT: Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:
gcloud projects list | \
awk '{print $1}' | \
xargs -I % sh -c "echo ""; echo project:% && \
gcloud projects get-iam-policy % \
--flatten='bindings[].members' \
--format='table(bindings.role)' \
--filter='bindings.members:YOU-SERVICE-ACCOUNT@blah.com' \
;"
To filter on a specific service account, the following gcloud commmand does the trick:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
Gives the nice output:
ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer
The format param can of course be tweaked to suit your specific needs.