I can ask for the details of a service account with
gcloud iam service-accounts describe <SA-email> --project=<PROJECT>
This will give the description, display name, OAuth client, etc. But it will fail with an error if I try to look for information on default, Google-generated accounts. For instance,
gcloud iam service-accounts get-iam-policy <project_number>@cloudbuild.gserviceaccount.com
fails with
ERROR: (gcloud.iam.service-accounts.get-iam-policy) NOT_FOUND: Unknown service account
This is true for any gcloud action that attempts to peer into a particular service account that Google auto-generated.
This is frustrating for us because we have a centralized project that we use for services that we want to be shared across our environments, like our Artifact Registry. We need to give cross-project access to those auto-generated accounts beyond the default values.
We are able to give access, via Terraform or GCP's Config Connector. But we're not able to observe the state in any scriptable way.
Does anyone know how gcloud can be used to peer into the workings of Google auto-generated service accounts?
