Questions tagged [google-iam]
The google-iam tag has no usage guidance.
42
questions
0
votes
0
answers
12
views
Newbie needs to scale
We are a tiny firm right now but are fortunate that over the next 90 days we'll go from under 10 users to maybe 4/500. I'm knowledgeable enough to know that this is the time to get things right, maybe ...
0
votes
0
answers
16
views
How can I get IAM policies for a GCP service account that is Google-provided?
I can ask for the details of a service account with
gcloud iam service-accounts describe <SA-email> --project=<PROJECT>
This will give the description, display name, OAuth client, etc. ...
1
vote
1
answer
154
views
Cannot login to Google Cloud Virtual Machine with IAM and two factor through SSH
After I have created a Virtual Machine that runs latest Ubuntu LTS I want to connect to it using SSH.
When I login to it I get this screen:
I get a new code from g.co/sc
When I enter that code into ...
1
vote
1
answer
112
views
Transfer 200GB from client using Google Cloud
I have a client who wishes to transfer 200GB of sensitive data to us. I would like them to upload this data to a GCloud bucket.
What is the best way to set up an external user to have access to a ...
1
vote
1
answer
1k
views
How to grant access for a Google Cloud Service Account to have all the same permissions as a another Service Account?
So I have a Google Cloud Service Account one [email protected] that has access to roles A and B.
There is Service Account two sa-2@myproject.iam.gserviceaccount.com which I need ...
0
votes
1
answer
53
views
Log into Google Cloud VM with as specific user using IAM
I created a VM with an Ubuntu 22.04 image and I log in using IAM credentials, not SSH keys, for example:
gcloud beta compute ssh --zone myzone vmname --project myproj --tunnel-through-iap
My command ...
0
votes
1
answer
181
views
GCP- Alert for adding new user or service account to a project
I want to create an alert in my project in GCP that lets me know when a new user or service account is added to the project. I understand I need to use Logs Explorer and run a query but I am not sure ...
0
votes
1
answer
77
views
Compute Engine: Restricting SSH usernames
I want to use OS Login with GCP because we use IAM for scoping access to all other resources within GCP (storage buckets, SQL, Redis, etc.). I understand how to restrict users from accessing machines ...
3
votes
1
answer
1k
views
Using conditions in GCP role assignment to prevent users from inviting other users and managing only service accounts
I recently read about conditions in GCP and how one can use them to add logic to a role. I would like to give a user a role to assign roles to service accounts. But if I do that, the user will also be ...
1
vote
1
answer
3k
views
Display Existing Policy Bindings for GCP Service Account
I'm setting up a service account to access a CloudSQL DB from GKE. I've created both the GSA and the KSA, and have executed the command to associate the two (gcloud iam service-accounts add-iam-...
1
vote
1
answer
1k
views
Unable to access GCS Object with storage.objects.get
I have a bucket with uniform permissions (no object level ACLs) and my account has the Owner role on the project which should give full access to all resources. I have even tried adding Storage Admin /...
0
votes
1
answer
112
views
Can GCDS (Google Cloud Directory Sync) trigger a cloud function?
I would like to run a Google Cloud function that renames the posixAccounts -> {username,homeDirectory} in Google Directory . I am hoping that it's possible to have the function triggered after a ...
0
votes
1
answer
176
views
fine-grained access for GCP OSLogin / osAdminLogin?
Is it possible to control which users/groups get which sudo privileges? Or is it an all-or-nothing proposition?
0
votes
1
answer
316
views
IAP with Google Identity Platform throws "Failed to fetch the discovery document from issuer"
I have activated Identity Aware Proxy on a GCP Load Balancer and configured it to authenticate the users against my OIDC Identity Provider (Auth0) through Google Identity Platform with a default login ...
0
votes
0
answers
180
views
Google cloud function - Unable to deploy
I have lots of cloud function deployed and working fine. (I am the project owner)
Now I am not able to deploy any function and keep on getting this error -
ERROR: gcloud crashed (ConnectionError): ('...
0
votes
1
answer
701
views
Google Cloud Project with No Owner
We have a Google Cloud project on my team and the owner has since left the organization.
We still have access to the project because someone on my team in an editor but editors cannot give others ...
0
votes
1
answer
475
views
GCP deployment to create storage bucket fails on missing storage.buckets.get access
I want to create a cloud storage bucket programatically using deployment manager, but the deployment fails with the following error:
ERROR: (gcloud.deployment-manager.deployments.create) Error in ...
2
votes
1
answer
1k
views
GCP - which role a permission belongs?
I cant understand why use of IAM is so hard to comprehend.
For example I am trying to create a schedule for a VM instance. When I add instance to a schedule I got:
Compute Engine System service ...
4
votes
2
answers
5k
views
GCP: Can I list permissions assigned to custom role using gcloud?
Is there any way to list the permissions associated with a (custom) role in Google Cloud Platform IAM using gcloud? I can find how to list the roles, but not the permissions associated with a given ...
0
votes
2
answers
8k
views
GCP Owner and Administrator roles for organization
I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts.
I've tried running a query on principal, I can see my account as a member ...
-1
votes
2
answers
690
views
Allow multiple service accounts to access multiple storage buckets
I have some devices, and each will be handled to the customers. I need each device to have read-access to some Google Cloud storage buckets. I would like each of device (or at least each customer) to ...
-2
votes
1
answer
843
views
How do I enable only a single Cloud SQL DB for a GCP service account?
I have a service account that should only have access to a single instance of Cloud SQL. In GCP, I've been trying to create a role with conditional access to the instance.
The instance name of the DB ...
1
vote
1
answer
194
views
Velero installation failing from a VM host in GCP
I am trying to install velero on a GKE Cluster from a GCP Compute Engine Host using below steps
https://github.com/vmware-tanzu/velero-plugin-for-gcp
I am installing velero from the VM host using ...
0
votes
1
answer
221
views
how do i list all the perms of a pre defined role?
I see this crap in lots of google docs:
They are doing a terrible job with documentation here.
I want to create a custom role. custom roles dont support adding predefined roles and dont support ...
5
votes
2
answers
2k
views
Why doesn't Cloud Build service account show up in gcloud list command?
When I look at the Console IAM dashboard for my project I can see the line item for my Cloud Build Service Account:
https://console.cloud.google.com/iam-admin/iam
Member ...
0
votes
1
answer
93
views
Google Cloud IAM Instance granular access
Is there any way on Google Cloud IAM roles setup to give access/visibility to some VM Instances of the project and not to the whole of them?
Ideally just to the ones that the user creates and not to ...
0
votes
1
answer
187
views
Mapping an IAM role to a Cloud Identity organizational unit
In the GCP IAM console, I can add either the entire organization (the domain of example.com) or individual users to Roles. However, I have the users setup in GSuite/Cloud Identity and organized into ...
0
votes
1
answer
19k
views
Access denied (SA doesn't have storage.objects.create access) when trying to upload using a preSigned url to google cloud storage
Having issues trying to allow a client to upload a file via a presigned url.
Error received
<?xml version='1.0' encoding='UTF-8'?>
<Error>
<Code>AccessDenied</Code>
<Message&...
0
votes
1
answer
36
views
QueryTestablePermissions response doesn't include "AcessContextManager.*" permissions
Based on this documentation : https://cloud.google.com/iam/docs/custom-roles-permissions-support
There are several permissions with prefix : AccessContextManager. But After I ran the API : ...
0
votes
1
answer
245
views
Compute OS Admin Login role doesn't make user sudoer
I have a user with the Compute OS Admin Login role, but when I log in using ssh, this user is not a sudoer. I've tried to restart the instance, but still the same. I've tried with enable_oslogin:TRUE ...
1
vote
1
answer
179
views
Require multiple group membership in Google cloud resource permission
Is it possible to set up an access permission on GCP resource that requires multiple roles/permissions/groups membership? Basically, have a logical AND for permissions.
IAM "conditions" ...
1
vote
1
answer
630
views
Google Cloud IAM roles on specific Cloud Functions
I have a project that with a number of Cloud Functions deployed and I want to allow users to only administer certain functions, ensuring that they are not able to overwrite certain existing functions. ...
0
votes
1
answer
58
views
Can a service account access all APIs?
For an api-key, one can define which APIs can be accessed with that api-key, but for service accounts, you seemingly can't. I thought maybe I could create a new role that only allows access to the ...
0
votes
1
answer
435
views
How do I determine the least privilege permissions for a service account applying Terraform plans?
EDIT: Since I can't "trigger" Recommender to make this calculation, and I can't get at the source dataset, is there an automated way of finding the IAM permissions a service account would need to ...
2
votes
2
answers
811
views
How do you assign storage permissions to a group of GCP service accounts?
How does one assign Google Cloud Storage bucket permissions to a group of users?
There's no bucket-level permissions that can be specified in roles, and there's no way to create a group as far as I ...
0
votes
3
answers
6k
views
GCP User added in IAM cannot see project
I have a project in Google Cloud that I'm trying to add an "editor" to (I will remain the sole project owner). I have added this person using their gmail address in the IAM permissions but the project ...
0
votes
2
answers
3k
views
GCP Service Account roles do not work correctly
When granting roles to my service account, those roles do not give me the permissions they say they do.
I am using Terraform. I have created a new service account like so:
gcloud iam service-...
0
votes
1
answer
36
views
New with Organization node and permissions on GCP
I am working with GCP within my university's CS program. My university does have an organizational node which our IT department is not using and has given me permission to use it for my class. I ...
0
votes
1
answer
69
views
prompt user to provide necessary IAM config to GCP resources
I'm brand new to Google Cloud Platform, and we are working on a strategy to provision software for non-technical users.
Is it possible to prompt a user with a familiar Oauth-like, one-click request ...
0
votes
1
answer
393
views
Required GCP IAM permissions for accessing/managing Google Maps/Places API
I searched through the roles in the IAM role management and was unable to find roles to access and manage APIs & Service in GCP so that I can give a person access to specific API Services only.
...
0
votes
1
answer
159
views
GCP Oslogin error
I have enabled os-login for an instance by setting the metadata value as 'enable-oslogin=TRUE'. Even after setting the IAM roles as Organization admin and Owner of the project the issue persists as ...
0
votes
1
answer
10k
views
Service account does not have storage.buckets.create access
I have created a Service Account for Terraform. Apart of our process is to create some storage buckets and maintain them through Terraform.
However, when we run terraform apply we get the following ...