Questions tagged [google-iam]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
0 votes
0 answers
12 views

Newbie needs to scale

We are a tiny firm right now but are fortunate that over the next 90 days we'll go from under 10 users to maybe 4/500. I'm knowledgeable enough to know that this is the time to get things right, maybe ...
Embarrassed Coder's user avatar
0 votes
0 answers
16 views

How can I get IAM policies for a GCP service account that is Google-provided?

I can ask for the details of a service account with gcloud iam service-accounts describe <SA-email> --project=<PROJECT> This will give the description, display name, OAuth client, etc. ...
Mike Williamson's user avatar
1 vote
1 answer
154 views

Cannot login to Google Cloud Virtual Machine with IAM and two factor through SSH

After I have created a Virtual Machine that runs latest Ubuntu LTS I want to connect to it using SSH. When I login to it I get this screen: I get a new code from g.co/sc When I enter that code into ...
Europa's user avatar
  • 113
1 vote
1 answer
112 views

Transfer 200GB from client using Google Cloud

I have a client who wishes to transfer 200GB of sensitive data to us. I would like them to upload this data to a GCloud bucket. What is the best way to set up an external user to have access to a ...
Omroth's user avatar
  • 207
1 vote
1 answer
1k views

How to grant access for a Google Cloud Service Account to have all the same permissions as a another Service Account?

So I have a Google Cloud Service Account one [email protected] that has access to roles A and B. There is Service Account two sa-2@myproject.iam.gserviceaccount.com which I need ...
engineer-x's user avatar
0 votes
1 answer
53 views

Log into Google Cloud VM with as specific user using IAM

I created a VM with an Ubuntu 22.04 image and I log in using IAM credentials, not SSH keys, for example: gcloud beta compute ssh --zone myzone vmname --project myproj --tunnel-through-iap My command ...
abalter's user avatar
  • 121
0 votes
1 answer
181 views

GCP- Alert for adding new user or service account to a project

I want to create an alert in my project in GCP that lets me know when a new user or service account is added to the project. I understand I need to use Logs Explorer and run a query but I am not sure ...
Nicholas Ziccardi's user avatar
0 votes
1 answer
77 views

Compute Engine: Restricting SSH usernames

I want to use OS Login with GCP because we use IAM for scoping access to all other resources within GCP (storage buckets, SQL, Redis, etc.). I understand how to restrict users from accessing machines ...
fuzzybear3965's user avatar
3 votes
1 answer
1k views

Using conditions in GCP role assignment to prevent users from inviting other users and managing only service accounts

I recently read about conditions in GCP and how one can use them to add logic to a role. I would like to give a user a role to assign roles to service accounts. But if I do that, the user will also be ...
Alex Elshamouty's user avatar
1 vote
1 answer
3k views

Display Existing Policy Bindings for GCP Service Account

I'm setting up a service account to access a CloudSQL DB from GKE. I've created both the GSA and the KSA, and have executed the command to associate the two (gcloud iam service-accounts add-iam-...
Lowell Boone's user avatar
1 vote
1 answer
1k views

Unable to access GCS Object with storage.objects.get

I have a bucket with uniform permissions (no object level ACLs) and my account has the Owner role on the project which should give full access to all resources. I have even tried adding Storage Admin /...
jtbry's user avatar
  • 31
0 votes
1 answer
112 views

Can GCDS (Google Cloud Directory Sync) trigger a cloud function?

I would like to run a Google Cloud function that renames the posixAccounts -> {username,homeDirectory} in Google Directory . I am hoping that it's possible to have the function triggered after a ...
GuyMatz's user avatar
  • 101
0 votes
1 answer
176 views

fine-grained access for GCP OSLogin / osAdminLogin?

Is it possible to control which users/groups get which sudo privileges? Or is it an all-or-nothing proposition?
GuyMatz's user avatar
  • 101
0 votes
1 answer
316 views

IAP with Google Identity Platform throws "Failed to fetch the discovery document from issuer"

I have activated Identity Aware Proxy on a GCP Load Balancer and configured it to authenticate the users against my OIDC Identity Provider (Auth0) through Google Identity Platform with a default login ...
MariusPontmercy's user avatar
0 votes
0 answers
180 views

Google cloud function - Unable to deploy

I have lots of cloud function deployed and working fine. (I am the project owner) Now I am not able to deploy any function and keep on getting this error - ERROR: gcloud crashed (ConnectionError): ('...
Rajesh bhardwaj's user avatar
0 votes
1 answer
701 views

Google Cloud Project with No Owner

We have a Google Cloud project on my team and the owner has since left the organization. We still have access to the project because someone on my team in an editor but editors cannot give others ...
Rachel S.'s user avatar
0 votes
1 answer
475 views

GCP deployment to create storage bucket fails on missing storage.buckets.get access

I want to create a cloud storage bucket programatically using deployment manager, but the deployment fails with the following error: ERROR: (gcloud.deployment-manager.deployments.create) Error in ...
Carlos Rodriguez's user avatar
2 votes
1 answer
1k views

GCP - which role a permission belongs?

I cant understand why use of IAM is so hard to comprehend. For example I am trying to create a schedule for a VM instance. When I add instance to a schedule I got: Compute Engine System service ...
Boppity Bop's user avatar
4 votes
2 answers
5k views

GCP: Can I list permissions assigned to custom role using gcloud?

Is there any way to list the permissions associated with a (custom) role in Google Cloud Platform IAM using gcloud? I can find how to list the roles, but not the permissions associated with a given ...
Scott Queen's user avatar
0 votes
2 answers
8k views

GCP Owner and Administrator roles for organization

I am assigned "Owner" role on the whole GCP organization, yet I cannot access organization IAM or billing accounts. I've tried running a query on principal, I can see my account as a member ...
Victor's user avatar
  • 1
-1 votes
2 answers
690 views

Allow multiple service accounts to access multiple storage buckets

I have some devices, and each will be handled to the customers. I need each device to have read-access to some Google Cloud storage buckets. I would like each of device (or at least each customer) to ...
Hugal31's user avatar
  • 99
-2 votes
1 answer
843 views

How do I enable only a single Cloud SQL DB for a GCP service account?

I have a service account that should only have access to a single instance of Cloud SQL. In GCP, I've been trying to create a role with conditional access to the instance. The instance name of the DB ...
CallMeNorm's user avatar
1 vote
1 answer
194 views

Velero installation failing from a VM host in GCP

I am trying to install velero on a GKE Cluster from a GCP Compute Engine Host using below steps https://github.com/vmware-tanzu/velero-plugin-for-gcp I am installing velero from the VM host using ...
Zama Ques's user avatar
  • 523
0 votes
1 answer
221 views

how do i list all the perms of a pre defined role?

I see this crap in lots of google docs: They are doing a terrible job with documentation here. I want to create a custom role. custom roles dont support adding predefined roles and dont support ...
red888's user avatar
  • 4,233
5 votes
2 answers
2k views

Why doesn't Cloud Build service account show up in gcloud list command?

When I look at the Console IAM dashboard for my project I can see the line item for my Cloud Build Service Account: https://console.cloud.google.com/iam-admin/iam Member ...
mbigras's user avatar
  • 299
0 votes
1 answer
93 views

Google Cloud IAM Instance granular access

Is there any way on Google Cloud IAM roles setup to give access/visibility to some VM Instances of the project and not to the whole of them? Ideally just to the ones that the user creates and not to ...
Imnl's user avatar
  • 103
0 votes
1 answer
187 views

Mapping an IAM role to a Cloud Identity organizational unit

In the GCP IAM console, I can add either the entire organization (the domain of example.com) or individual users to Roles. However, I have the users setup in GSuite/Cloud Identity and organized into ...
David Hergert's user avatar
0 votes
1 answer
19k views

Access denied (SA doesn't have storage.objects.create access) when trying to upload using a preSigned url to google cloud storage

Having issues trying to allow a client to upload a file via a presigned url. Error received <?xml version='1.0' encoding='UTF-8'?> <Error> <Code>AccessDenied</Code> <Message&...
James's user avatar
  • 1
0 votes
1 answer
36 views

QueryTestablePermissions response doesn't include "AcessContextManager.*" permissions

Based on this documentation : https://cloud.google.com/iam/docs/custom-roles-permissions-support There are several permissions with prefix : AccessContextManager. But After I ran the API : ...
purnadika's user avatar
  • 101
0 votes
1 answer
245 views

Compute OS Admin Login role doesn't make user sudoer

I have a user with the Compute OS Admin Login role, but when I log in using ssh, this user is not a sudoer. I've tried to restart the instance, but still the same. I've tried with enable_oslogin:TRUE ...
Rhangaun's user avatar
  • 189
1 vote
1 answer
179 views

Require multiple group membership in Google cloud resource permission

Is it possible to set up an access permission on GCP resource that requires multiple roles/permissions/groups membership? Basically, have a logical AND for permissions. IAM "conditions" ...
Yotamz's user avatar
  • 111
1 vote
1 answer
630 views

Google Cloud IAM roles on specific Cloud Functions

I have a project that with a number of Cloud Functions deployed and I want to allow users to only administer certain functions, ensuring that they are not able to overwrite certain existing functions. ...
Max888's user avatar
  • 111
0 votes
1 answer
58 views

Can a service account access all APIs?

For an api-key, one can define which APIs can be accessed with that api-key, but for service accounts, you seemingly can't. I thought maybe I could create a new role that only allows access to the ...
ASA's user avatar
  • 129
0 votes
1 answer
435 views

How do I determine the least privilege permissions for a service account applying Terraform plans?

EDIT: Since I can't "trigger" Recommender to make this calculation, and I can't get at the source dataset, is there an automated way of finding the IAM permissions a service account would need to ...
Larry B.'s user avatar
  • 109
2 votes
2 answers
811 views

How do you assign storage permissions to a group of GCP service accounts?

How does one assign Google Cloud Storage bucket permissions to a group of users? There's no bucket-level permissions that can be specified in roles, and there's no way to create a group as far as I ...
Charlie's user avatar
  • 181
0 votes
3 answers
6k views

GCP User added in IAM cannot see project

I have a project in Google Cloud that I'm trying to add an "editor" to (I will remain the sole project owner). I have added this person using their gmail address in the IAM permissions but the project ...
Zac Soden's user avatar
0 votes
2 answers
3k views

GCP Service Account roles do not work correctly

When granting roles to my service account, those roles do not give me the permissions they say they do. I am using Terraform. I have created a new service account like so: gcloud iam service-...
outrunthewolf's user avatar
0 votes
1 answer
36 views

New with Organization node and permissions on GCP

I am working with GCP within my university's CS program. My university does have an organizational node which our IT department is not using and has given me permission to use it for my class. I ...
Cathy Bareiss's user avatar
0 votes
1 answer
69 views

prompt user to provide necessary IAM config to GCP resources

I'm brand new to Google Cloud Platform, and we are working on a strategy to provision software for non-technical users. Is it possible to prompt a user with a familiar Oauth-like, one-click request ...
g000m's user avatar
  • 3
0 votes
1 answer
393 views

Required GCP IAM permissions for accessing/managing Google Maps/Places API

I searched through the roles in the IAM role management and was unable to find roles to access and manage APIs & Service in GCP so that I can give a person access to specific API Services only. ...
cjost's user avatar
  • 1
0 votes
1 answer
159 views

GCP Oslogin error

I have enabled os-login for an instance by setting the metadata value as 'enable-oslogin=TRUE'. Even after setting the IAM roles as Organization admin and Owner of the project the issue persists as ...
Sasirekha's user avatar
0 votes
1 answer
10k views

Service account does not have storage.buckets.create access

I have created a Service Account for Terraform. Apart of our process is to create some storage buckets and maintain them through Terraform. However, when we run terraform apply we get the following ...
Andrew Ellis's user avatar