I'm working with multiple Google Cloud projects and need to impersonate multiple users to perform certain actions on their behalf.
My question is, is it possible to impersonate from an impersonated Google account in Google Cloud? If so, what is the best way to achieve this? I know on AWS you can "double assume" a role with the STS service.
I've tried searching for information on this topic, but I haven't been able to find any clear answers also tried to do this in the python SDK but could not succeed:
Lets say we have service account A with TokenCreator role on Service Account B with TokenCreator role on service account C.
from google.auth import impersonated_credentials
service_account_b_impersonated_credentials = impersonated_credentials.Credentials(
source_credentials=source_credentials_a,
target_principal=source_credentials_b,
target_scopes=[],
lifetime=500,
)
service_account_c_impersonated_credentials = impersonated_credentials.Credentials(
source_credentials=service_account_b_impersonated_credentials,
target_principal=service_account_c,
target_scopes=[],
lifetime=500,
)
but when using the new credentials, I can't really do anything.
In the CLI I know I can use the --impersonate flag when executing an action such as list vms however didn't find a CLI command equivalent to STS on AWS to really act as the principal for all actions
Any help or guidance would be greatly appreciated.
Thank you!
Related
I am trying to add a service account to my cloud run service. However, there is a message that "No service account with required permissions available."
I'm not sure if this is related to my user's credentials, or something else. This project has the default compute service account, as well as additional service accounts.
I can't find anything related in the documentation regarding this.
Would appreciate any insight you have on this issue!
Yes, I think that's probably (!?) what's occurring.
I assume that you're using Cloud Console and trying to Create a Cloud Run service.
I was able to add a minimally-roled user to an existing project and, when trying to create a Cloud Run service, I observe the same behavior that you're seeing.
How do you know that the project contains Service Accounts? I assume that your permissions are similarly restricted in eumerating these.
The permissions required to set a service account are described here. You need service account user permissions on the project or specific service account in order to set it on a deploy.
We have GCP account credentials(username/password). We have installed gcloud CLI on the Amazon Linux EC2 machine. We would like to create a script that would auto-login to the GCP account and do the below things sequentially using gcloud CLI.
Login to the GCP account.
Create Project and specify a meaningful project-id.
Create a service account with a meaningful ID.
Assign the owner role to the service account.
Create and download a new JSON key.
Please help us to achieve this
You should use a Service Account not a User (username|password) for automation. The Service Account should be suitably permissioned so that it can create Projects and Service Accounts.
I was unable to find a source for this (but it used to be that?) Google monitors User Accounts for apparent use of automation (e.g. for bots) and these accounts may be disabled.
How to setup multi-account(project) in GCP, it is possible in AWS by using assume-role, anyone knows how to do it in Google Cloud (GCP)?
I tried to explore AWS equivalent in GCP, but not able to find any document.
As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.
The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).
Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.
To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.
The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.
Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.
The basic answer is "Service Roles". Limited-time service roles are available.
For assigning permissions across projects (but still in the same organization), you can create a custom role.
For letting any user assume the role of a service account, use the Service Account user role.
For limited-time authorization tokens, you have OAuth 2.0 for server-to-server calls, particularly with JWT where available.
When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.
my company provides me with a federated access to AWS. By that I mean, we're going to a website where we login with our SSO which then allows us to pull up the AWS console (i.e. through as custom federation broker as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
I can create instances (ec2) just fine through the UI. My question is, how can I get API credentials to use with aws cli?
In the IAM dashboard I don't see an option to create a credential set for myself.
Is this even something I can get to, or do they (=my it people) need to change something in the setup?
Thanks a bunch!
ps. to clarify, this we're not going through onelogin
You can create a program to do this leveraging your credentials, your SSO config, and boto3.
Alternatively, I use this google chrome plugin: https://github.com/prolane/samltoawsstskeys/blob/master/README.md
Atlassian also released a tool recently to help solve this problem, and there are some other ones out there if you do some searching.