I want to get resource ids of resources in google cloud platform.
I have enough access to google cloud console to access those resources.
However I can't access through gcloud shell utility and need additional permissions.
$ gcloud alpha monitoring policies list --project kbc-env --filter="userLabels.alerting_db_type:*" --format json > ~/Downloads/kbc-env.json
ERROR: (gcloud.alpha.monitoring.policies.list) User [sjain#kbc.com] does not have permission to access projects instance [kbc-env] (or it may not exist): Caller does not have required permission to use project kbc-env. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=kbc-env and then retry. Propagation of the new permission may take a few minutes.
- '#type': type.googleapis.com/google.rpc.Help
links:
- description: Google developer console IAM admin
url: https://console.developers.google.com/iam-admin/iam/project?project=kbc-env
- '#type': type.googleapis.com/google.rpc.ErrorInfo
domain: googleapis.com
metadata:
consumer: projects/kbc-env
service: monitoring.googleapis.com
reason: USER_PROJECT_DENIED
How can i get resource ids without gcloud permissions ?
To get resource id without gcloud
Step 1 :
Go to GCP console and open the resource directly
For e.g. You can go to Cloud Monitoring then click on Alerting and then click to one of alerts.
Step 2 :
We can get resource id from the URL like shown on the screenshot
Related
I've previously only used Cloud Functions of gen. 1 but now plan to move to 2nd generation and is just trying to deploy/test a first basic function. I'm just taking the Google sample for a storage triggered function and try to deploy it, but it keeps failing.
This is what it looks like:
> gcloud functions deploy nodejs-finalize-function --gen2 --runtime=nodejs16 --project myproject --region=europe-west3 --source=. --entry-point=handleImage --trigger-event-filters='type=google.cloud.storage.object.v1.finalized' --trigger-event-filters='bucket=se_my_images'
Preparing function...done.
X Deploying function...
✓ [Build] Logs are available at [https://console.cloud.google.com/cloud-build/builds;region=europe-west3/a8355043-adf0-4485-a510-1d54b7e11111?project=123445666123]
✓ [Service]
✓ [Trigger]
- [ArtifactRegistry] Deleting function artifacts in Artifact Registry...
. [Healthcheck]
. [Triggercheck]
Failed.
ERROR: (gcloud.functions.deploy) OperationError: code=7, message=Creating trigger failed for projects/myproject/locations/europe-west3/triggers/nodejs-finalize-function-898863: The Cloud Storage service account for your bucket is unable to publish to Cloud Pub/Sub topics in the specified project.
To use GCS CloudEvent triggers, the GCS service account requires the Pub/Sub Publisher (roles/pubsub.publisher) IAM role in the specified project. (See https://cloud.google.com/eventarc/docs/run/quickstart-storage#before-you-begin)
The error looks easy to understand, but I have aded the Pub/Sub Publisher role to all my service accounts now (the ones listed below) and I still keep getting the same error.
>gcloud iam service-accounts list --project myproject
DISPLAY NAME EMAIL DISABLED
firebase-adminsdk firebase-adminsdk-u2x33#myproject.iam.gserviceaccount.com False
Default compute service account 930445666575-compute#developer.gserviceaccount.com False
backend-dev backend-dev#myproject.iam.gserviceaccount.com False
App Engine default service account myproject#appspot.gserviceaccount.com False
I don't know how to move forward from here so I hope someone can help.
*** EDIT ***.
I added the role to the listed service accounts in the GCP console, IAM > Permissions > View By Principal page/view where I used the Edit Principal button to assign an additional role (Pub/Sub Publisher) to the service accounts (note that I added the role to all my listed service accounts since I'm not 100% sure which one is used by GCP for cloud deployment).
since you are already using gcloud cli, i suggest you follow the step 2 which says:
PROJECT_ID=$(gcloud config get-value project)
PROJECT_NUMBER=$(gcloud projects list --filter="project_id:$PROJECT_ID" --format='value(project_number)')
SERVICE_ACCOUNT=$(gsutil kms serviceaccount -p $PROJECT_NUMBER)
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT \
--role roles/pubsub.publisher
After these 4 cmd's, you should have no problems.. I don't use gcp interface for iam purposes, since all my iam policies are uploaded by terraform/terragrunt.
I was trying to deploy an http triggered Cloud Function with Cloud Build using this configuration.
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args:
- beta
- functions
- deploy
- myfunction
- --source=start_shopify_installation
- --trigger-http
- --region=europe-west1
- --runtime=nodejs14
- --allow-unauthenticated
- --ingress-settings=all
- --security-level=secure-always
- --set-secrets=env_1=secret_1:latest
When I got an error saying Cloud Build could't set an IAM policy.
WARNING: Setting IAM policy failed, try:
gcloud alpha functions add-iam-policy-binding myfunction\
--region=europe-west1 \
--member=allUsers \
--role=roles/cloudfunctions.invoker
The function gets deployed and when I check in the GCP console it looks like the allUsers member has the role Cloud Functions Invoker, but it doesn't have allow unauthenticated in the Authentication column. When I go to invoke the function I get a 'missing permissions' error.
When I execute the suggested command from my Cloud Shell it works just fine. However if I fill it in as an extra step in my deployment configuration that step fails.
I think that my Cloud Build service account must be missing a role in order to make the function accessible without authetication? Currently it has these roles: Cloud Build Service Account, Cloud Functions Developer and Service Account User.
EDIT
I added the Project IAM Admin role to the Cloud Build service account and tried again.
Unfortunately, it didn't change anything.
I reproduced your error (warning) on my side and fixed it: I can see allUsers having Cloud Functions Invoker role in the function's PERMISSIONS tab.
In fact your cloud build service account needs the cloudfunctions.functions.setIamPolicy permission. So the solution is replace Cloud Functions Developer role with Cloud Functions Admin role.
Use of the --allow-unauthenticated flag modifies IAM permissions. To ensure that unauthorized developers cannot modify function permissions, the user or service that is deploying the function must have the cloudfunctions.functions.setIamPolicy permission. This permission is included in both the Owner and Cloud Functions Admin roles.
Ref: https://cloud.google.com/functions/docs/securing/managing-access-iam#at_deployment
GCP IAM: In IAM, permission to access a resource isn't granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource
Ref: https://cloud.google.com/iam/docs/overview
So basically, Access control for Google Cloud resources is managed by IAM policies. An IAM policy is attached to a resource.
With Cloud resource manager API we can retrieve Policy and check the permissions assigned to user, but it's resource-centric. Policy for Organization, folder, projects, etc can be retrieved.
Example: https://cloud.google.com/resource-manager/reference/rest/v1/organizations/getIamPolicy
Cloud asset inventory: Has an API to search all iam polcies. With the Query Parameter it has a filter for user but it supports sub set of resources on which iam polciy can be assigned
API:
https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllIamPolicies
Reference:
https://cloud.google.com/asset-inventory/docs/supported-asset-types
https://cloud.google.com/iam/docs/resource-types-with-policies
Question:
Is there any way to fetch all the permissions granted to identity across all GCP resources instead of checking IAM Policy of each and every resource?
Basically looking for a consolidated view of all the permissions granted to an Identity in GCP. The problem is for understanding permissions assigned to a user on a single resource, with API, We have to fetch all the resource policies and check their bindings
As of now there is not a gcloud or API call that can be used to check the permissions granted to a particular resource (such as user, service account, etc.) easily as per explained on your question. As you are already aware you could use the relevant gcloud command to search for the specific roles assigned at each distinct resource, e.g.:
gcloud asset search-all-iam-policies --scope='projects/[YOUR-PROJECT-ID]' --query='policy:[YOUR-USERNAME]#[YOUR-DOMAIN]'
Resulting in e.g.:
---
policy:
bindings:
- members:
- projectOwner:[PROJECT-ID]
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: roles/bigquery.dataOwner
project: projects/[PROJECT-NUMBER]
resource: //bigquery.googleapis.com/projects/[PROJECT-ID]/datasets/[DATASET-NAME]
---
policy:
bindings:
- members:
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: projects/[PROJECT-ID]/roles/[CUSTOM-ROLE-NAME]
- members:
- user:[ANOTHER-USERNAME]#[YOUR-DOMAIN]
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: roles/owner
project: projects/[PROJECT-NUMBER]
And from these response parse the fields corresponding to the role: assigned at each resource to see which permissions are assigned to that specific role using the relevant gcloud command:
gcloud iam roles describe [CHANGE-FOR-ROLE-(e.g. roles/owner)] --project=[PR0JECT-ID]
and check the output corresponding to the includedPermissions: fields.
I will therefore recommend you to star and follow this Feature Request on GCP's Public Issue Tracker to check the feasibility (or not) of this issue to be implemented in the future.
I am the owner of my newly created organization, I created a project under this organization and linked it to the organization billing account where I have 1000$ in credits. Through the web UI, I am able to spin up clusters, VMs, networks... But when I want to do so through gcloud, I am getting permissions denied. E.g.:
$ gcloud compute networks list
API [compute.googleapis.com] not enabled on project [XXX].
Would you like to enable and retry (this will take a few minutes)?
(y/N)? y
ERROR: (gcloud.compute.networks.create) PERMISSION_DENIED: The caller does not have permission
but I can see in the web UI GCP that the API is clearly enabled (and can be used), it's just the gcloud not letting me work with them. The account under gcloud is exactly the same I am using in the web console - validated by gcloud auth list and:
$ gcloud config configurations describe myproject
is_active: true
name: myproject
properties:
compute:
region: europe-west1
zone: europe-west1-b
core:
account: <my-email>
project: <the-project-I-want>
or
$ gcloud services list
ERROR: (gcloud.services.list) User [<myusername>] does not have permission to access project [myproject] (or it may not exist): The caller does not have permission
It works totally fine with a different account (and different organization/projects), but I didn't set up that one in the past. What should I do? Thanks a lot!
UPDATE:
After gcloud init, at least the gcloud services list started to work. But the rest did not:
$ gcloud services list
NAME TITLE
bigquery-json.googleapis.com BigQuery API
cloudapis.googleapis.com Google Cloud APIs
clouddebugger.googleapis.com Stackdriver Debugger API
cloudtrace.googleapis.com Stackdriver Trace API
compute.googleapis.com Compute Engine API
container.googleapis.com Kubernetes Engine API
containerregistry.googleapis.com Container Registry API
datastore.googleapis.com Cloud Datastore API
logging.googleapis.com Stackdriver Logging API
monitoring.googleapis.com Stackdriver Monitoring API
oslogin.googleapis.com Cloud OS Login API
pubsub.googleapis.com Cloud Pub/Sub API
servicemanagement.googleapis.com Service Management API
serviceusage.googleapis.com Service Usage API
sql-component.googleapis.com Cloud SQL
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Google Cloud Storage
$ gcloud compute networks create testing-net --subnet-mode=custom '--description=Network to host testing kubernetes cluster'
API [compute.googleapis.com] not enabled on project [{PROJECT_ID}].
Would you like to enable and retry (this will take a few minutes)?
(y/N)? y
ERROR: (gcloud.compute.networks.create) PERMISSION_DENIED: The caller does not have permission
^ the PROJECT_ID above shows my organization's ID, not the actual project under this org.
So the problem was that I used the wrong project_id when gcloud config set project and gcloud defaulted to organization for some reason.
So I had to find correct project id using gcloud projects list and then use gcloud config set project {PROJECT-ID} (not the project name!)
gcloud init - if you wanted to switch gcloud to work between projects which will configure its settings to point to the right project.
I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:
$ gcloud projects get-iam-policy myproject
bindings:
- members:
- serviceAccount:123456789012-compute#developer.gserviceaccount.com
role: roles/editor
- members:
- user:me#myemail.com
role: roles/owner
- members:
- serviceAccount:bucket-viewer-service-account#myproject.iam.gserviceaccount.com
role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1
I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:
$ gcloud iam service-accounts add-iam-policy-binding \
bucket-viewer-service-account#myproject.iam.gserviceaccount.com \
--member='user:test.gcp1#myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
- user:user:test.gcp1#myemail.com
role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=
Is that all I have to do so that the user test.gcp1#myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?
I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.
The iam.serviceAccountActor role gives users the ability to create and manage compute engine instances that use a service account.
I could be misunderstanding something, but if you want to give someone permission to directly act as a service account, the most straightforward way would probably be to create a private key file for the service account that represents that particular user acting as that service account, and then giving them that private key file.
Giving a user the Service Account Actor role does not give access transitively, like you're suggesting. Instead, it allows a user to "use" the service account to start long-running jobs (e.g. creating a compute engine instance) that have that service account as an identity.
iam.serviceAccountActor role deprecated, you need to use Service Account User role
See More details
Apparently, the test.gcp1#myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:
Create "Keys" for your service account:
gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME#PROJECT-ID.iam.gserviceaccount.com
Load the "Keys" in your terminal by adding the following environment variable (in .bashrc or equivalent file for your OS):
export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"
Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.
PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (i.e. privileges/policies) added and make sure to delete the keys when they are no longer required.