How to accurately determine which Services/API need to be enabled given a list of permissions?

Google Cloud Compute Infrastructure
1

Given a Service Account that is assigned a Custom Role with a large number of permissions (All of them are readonly, so it’s basically a subset of the Viewer Role)

How would I go about determining all the Services/APIs that need to be enabled from the permissions granted to ensure that the permissions can actually be used?

I tried using the services.get method from the ServiceUsage API and that method does return a list of APIs it supports for some Services while for others that list is not available. Moreover I’m unable to accurately map the APIs supported to the permissions.

Any ideas would be greatly appreciated.

2

“Method: services.list” [1] can lists all services available to the specified project, and the current state of those services with respect to the project. The list includes all public services, all services for which the calling user has the servicemanagement.services.bind permission, and all services that have already been enabled on the project.

[1] https://cloud.google.com/service-usage/docs/reference/rest/v1/services/list

3

Thanks for your reply but unfortunately it does not address my question at all.

Let me provide an extremely simplified example

I create a Custom Role with the following 3 permissions

compute.instances.get
redis.instances.get
storage.buckets.get

I then create a Service Account and grant the Service Account the aforementioned Custom Role.

The next step is to validate that the services corresponding to these permissions are also enabled in the project or enable them if they are not.

Now in this case this is easy to do manually and I conclude that I need to ensure the following 3 services are enabled

compute.googleapis.com
redis.googleapis.com
storage.googleapis.com

Now imagine if that Custom Role had hundreds of permissions instead of just 3. How would you go about ensuring that all required services are enabled?

4

I checked public documentation and internal documentation; There is no way to see 1:1 what API are enabled that the Service Account has access to. If you would like we can open a feature request [1]. However, there is no ETA on when and if the feature will be implemented. For now, you would have to cross reference all APIs that are enabled or not. Additionally, if you have a list of APIs you want to enable in batch, you can use “Method: services.batchEnable” [2].

[1] https://issuetracker.google.com/

[2] https://cloud.google.com/service-usage/docs/reference/rest/v1/services/batchEnable