Skip to content

IAM

floci-gcp emulates Google Cloud IAM over REST JSON using the real GCP IAM API.

Configuration

Variable Default Description
FLOCI_GCP_SERVICES_IAM_ENABLED true Enable/disable IAM

Quick Start

gcloud config set project floci-local

# Create a service account
gcloud iam service-accounts create my-sa \
    --display-name="My Service Account"

# List service accounts
gcloud iam service-accounts list

# Create a key
gcloud iam service-accounts keys create key.json \
    --iam-account=my-sa@floci-local.iam.gserviceaccount.com

# Delete a key
gcloud iam service-accounts keys delete KEY_ID \
    --iam-account=my-sa@floci-local.iam.gserviceaccount.com

# Create service account
curl -X POST http://localhost:4588/v1/projects/floci-local/serviceAccounts \
  -H "Content-Type: application/json" \
  -d '{"accountId":"my-sa","serviceAccount":{"displayName":"My SA"}}'

# List service accounts
curl http://localhost:4588/v1/projects/floci-local/serviceAccounts

# Get service account
curl http://localhost:4588/v1/projects/floci-local/serviceAccounts/my-sa@floci-local.iam.gserviceaccount.com

# Delete service account
curl -X DELETE http://localhost:4588/v1/projects/floci-local/serviceAccounts/my-sa@floci-local.iam.gserviceaccount.com

Service Accounts

Service accounts follow the GCP naming convention:

projects/{project}/serviceAccounts/{account}@{project}.iam.gserviceaccount.com

Service Account Keys

# Create key
curl -X POST \
  http://localhost:4588/v1/projects/floci-local/serviceAccounts/my-sa@floci-local.iam.gserviceaccount.com/keys \
  -H "Content-Type: application/json" \
  -d '{}'

# List keys
curl http://localhost:4588/v1/projects/floci-local/serviceAccounts/my-sa@floci-local.iam.gserviceaccount.com/keys

IAM Policy Bindings

# Grant Secret Manager access to a service account
gcloud secrets add-iam-policy-binding my-secret \
    --member="serviceAccount:my-sa@floci-local.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

Sign Blob (V4 Signed URLs)

The IAM SignBlob endpoint is used by the GCS SDK to generate V4 pre-signed URLs:

URL signedUrl = storage.signUrl(
    BlobInfo.newBuilder("my-bucket", "hello.txt").build(),
    15, TimeUnit.MINUTES,
    Storage.SignUrlOption.withV4Signature());

SignBlob accepts the bytes to sign and returns a stub signature, which is sufficient for local development.

Supported Operations

  • CreateServiceAccount
  • GetServiceAccount
  • ListServiceAccounts
  • DeleteServiceAccount
  • CreateServiceAccountKey (real RSA-2048 key pair; returns JSON key file)
  • GetServiceAccountKey
  • ListServiceAccountKeys
  • DeleteServiceAccountKey
  • GetIamPolicy
  • SetIamPolicy
  • TestIamPermissions
  • SignBlob