I noticed that my gcloud projects get-iam-policy {project_id} --format=json
gave a slightly different result compared to the IAM list in the GCP management console, when the same project is set.
For example, I am expecting a few principals to have roles like "viewer", "Storage Admin", "Tag Administrator", "Tag User", "Project Mover" based on the console. Those are not shown in the output of gcloud cli. I logged in to my work account in the console so I am sure that both are having equal permission.
Next, I ran the gcloud command again but this time setting project_id to org_id. I could get some of the mentioned roles above from other projects.
What have i done incorrectly? Or could it be a gcp bug?
[Update] As requested, here is a censored sample showing the difference between CLI result and GCP Console. In the CLI formatted result, I filtered the list down to all roles that are associated to my org, folder and project, because some roles are inheritable and I just want to make sure all are captured. On the other hand, the GCP console is set specifically to my project.
So logically, the GCP console result should be a subset of the more complete CLI result. But some roles (boxed in red) are not present in the CLI result.
I thought maybe this was a role-specific issue, so i unfiltered my CLI result. I could see other users/principals having that role.
The issue you are currently observing that
gcloud
gave a slightly different result compared to that of the IAM list in the GCP console might be due to permissions issues. Also ensure that you are using the same credentials.For the custom role in a Project, try running:
Or
UPDATE:
Try running