According to the docs, a default service account is used to manage and execute dataform in GCP.
Is there a way to use another service account instead ?
According to the google document ,it is not possible to use a custom service account with DataForm.DataForm creates its own service account and permissions by default.
However, there is a feature request field for the same. You can vote for this feature by clicking the "+1" and "STAR" mark to receive updates on it or you can also create a feature request thread in Google’s Public Issue Tracker.
Related
I have an application that can manage Google Calendar within the Google Workspace of the company. The application contains more than one company.
I want to use domain-wide delegation. As described here or here admin of the workspace needs to add service account id and scope manually.
Is the way to do this programmatically?
After some research and also looking into Google Workspace's Admin SDK documentation here and here this does not seem to be an available option at the moment.
You may want to submit a feature request here for that.
For service or local applications, the admin has to manually generate the service account and grant this service account with domain-wide authorization. There is no way to do this programmatically (unless for pure SaaS applications).
Is there a way to force the user creation and login through cloud identity and don't allow marketing to add users to analytics as they please?
Thank you
Not exactly, but if you have a Cloud Identity/Workspace account for, say, example.com, you can:
Migrate or evict all existing #example.com consumer accounts.
Prevent new consumer account sign-ups for #example.com
Set a policy in Marketing Platform to only allow members from #example.com
In combination, this should have the desired effect.
If you're using a corporate, TLS-inspecting proxy, you can also block access to consumer accounts.
We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
we have a cloud foundry demo installation for customers. Customers are able to create an account. Now, I would like t assign automatically a specific org and space incl. roles to every new user.
Is that possible?
You could create a web application that users go to create their account then use uaa apis and cloud controller apis to create and assign the user to whatever you want. This application can use uaa client accounts with appropriate authorities.
If you only want users to create their accounts using your application I believe you can tell uaa to disable self service links in the uaa ui using "login.self_service_links_enabled=false" and can probably stop people from creating their own accounts on the CLI by removing the "scim.write" scope from the cf client.
There's nothing out of the box that does this. I can't see anything in the events API that you could plug into either.