You’ve granted some roles to a service account, but your application is still throwing permission errors. Or, perhaps you want to prove that a service account doesn’t have a dangerous permission like resourcemanager.projects.delete. How do you quickly get a definitive answer without digging through complex policies?

GCP’s cloudresourcemanager API provides a testIamPermissions method that allows you to provide a list of permissions and it will tell you which of those permissions the calling identity actually has:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth --impersonate-service-account=... print-access-token)" \
  -H "Content-Type: application/json" \
  "https://cloudresourcemanager.googleapis.com/v3/projects/PROJECT_NAME:testIamPermissions" \
  -d '{
    "permissions": [
      "resourcemanager.projects.get",
      "resourcemanager.projects.delete",
      "storage.buckets.list"
    ]
  }'

The API will return a JSON response similar to this:

{
  "permissions": [
    "resourcemanager.projects.get",
    "storage.buckets.list"
  ]
}

The list returned only includes the permissions that the identity actually has from the list you provided in your input.