I try to get all the projects with granted permissions for my account with api explorer:
https://cloud.google.com/bigquery/docs/reference/rest/v2/projects/list
Unfortunatly, it shows only a few projects (at least 5 times less then it has to show). I double-checked all permissions (both in project an organisation), and in every project i have admin or owner role.
btw, if I try to call the exact project via api to get the list of datasets here:
https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets/list
it will work even for those projects which are not returned in list of projects via previous method.
For what reason api doesn`t return full list of projects? Thanks for help!
Related
A new project showed up in my list of projects in my GCP console with name "My Project xxxxx" and ID "brave-watch-nnnnnn" where xxxxx and nnnnnn are numbers. But, I have no privileges on this project and cannot view the resources or modify the project.
I am the only user of my GCP account and my account is not part of any organization. I don't know how this project was created and how it got added to my console. Has anyone encountered such a scenario before and how did you resolve it ?
I think you should contact the support team. You mentioned about that your account is not part of an organization. But it's possible for someone to add you into his project via email. Did you leak your email address? You can also use gcloud projects list to see which project you have access to.
Only the owner of the project can revoke the access... that's who to contact.
b/c permission resourcemanager.projects.setIamPolicy is required to do so.
I'm trying to create my first project in google cloud with organization's administrator account. I have access to the administrator's email and passwords and I am logging in with that account to do so. The problem is that when I click on create new project I receive the following error:
There was an error while loading /home/dashboard?project=proven-now-305315&authuser=1.
You are missing at least one of the following required permissions:
Project
resourcemanager.projects.get
Check that the project ID is valid and you have permissions to access it. Learn more
Send feedback
The detail is that in my resource administration panel I already gave the permission that they ask me to the resource as shown in the following image:
As I have read, the project IAM Admin role should grant the resourcemanager.projects.get role and as you can see in the image the resource rcv # .. which is the administrator has it activated, however I keep trying to create a new project and it doesn't allow me to do it. Any idea?
In case anybody else, like me, reaches this answer, I want to point out that the accepted answer is correct, but for me I had to also make sure that within the settings, I ensured that Project Creation Settings on the right pane and under the section of Cloud Resource Manager Api Settings was set to on. It was turned off by default. Many people on my team overlooked this as it is significantly smaller text.
This may be an option that was not present before or it was turned on by default in the past. For us, it was turned off.
Please refer to the included image for a visual representation of the
settings that need to be turned on.
The problem was for some reason the Google Cloud was disable for all users, I solved following this instructions. Solved with this!
To activate this service, please follow the steps:
Access the admin console and go to Apps -> Additional Google Services
Look for the service “Google Cloud Platform” and click on the box next to it
In to top right corner click in “ON”
Confirm you want to turn it on in the pop-up box.
I am using a trial version of Google CLoud. In the command line, I am logged in with a .json key file.
gcloud projects create training_project
returns
ERROR: (gcloud.projects.create) PERMISSION_DENIED: Service accounts cannot create projects without a parent.
But with a trial account, I can neither create an organization nor a folder to serve as a parent. So, how can I make a new project with the command line interface as a trial user?
I have read this question that concerns doing this with a REST API whereas I want to use the command line interface. Furthermore, that question is not about using a trial account.
As shown in the error message (this is also documented here), service accounts are not allowed to create projects outside of an organization and must specify the parent resource when creating a project. There is no workaround for this. Since a trial user cannot create an organization as you mentioned, you won't be able to use a service account to create a project.
Having said that, you can create a project via CLI when logged in as a user instead. You can log in by running:
gcloud auth login
and following the instructions. The gcloud projects create command will then run successfully.
After adding other users from my organization as Project Editor and Viewer the projects aren't showing up in their Google Cloud Console project list, nor are they visible in gcloud projects list.
However if I give them a link directly to some resource inside the project they can navigate to it just fine,
and they can also use commands like gcloud container clusters list with the --project= set to the new projects and see the resources inside the project.
The documentation for the gcloud projects list (https://cloud.google.com/resource-manager/docs/creating-managing-projects#listing_projects) specifies it should list all projects on which you have resourcemanager.projects.list (which Project Viewer and Editor both grant) or any children under a parent on which you have resourcemanager.projects.list.
So maybe if I grant resourcemanager.projects.list on the organization level it would fix it, but I don't really want to grant the users such a broad access...
As mentioned by John Hanley :
In order for a user to list projects in an organization, they need resourcemanager.projects.list at the organization or folder level.If a user has access to a project, allowing them to list projects should not be an issue unless revealing the names of projects is not desired. In that case, just provide everyone with the Project ID and they can manually use that to access resources.
Note: The level (project, folder, organization) determines what users can access. You could create folders, move projects under folders and allow users to only list projects in their folders
For more information you can refer to the Serverfault Answer related to a similar issue and Documentation where creation and management of the Folders has been well explained.
Here is how to replicate:
As an admin create a "newProject990055" under an existing organization, select it and navigate to the IAM menu.
Add a user with just the role "Logs Viewer" for "newProject990055".
Login with such a user and try to select project "newProject990055". Expected: User won't see "newProject990055"
because the user has no access to list all projects, and
"newProject990055" is new, and the user has never visited it before.
With such a user hit https://console.cloud.google.com/logs/query?project=newProject990055.
Expected: User will see the logs for the "newProject990055" project
and user will be notice that such a project is selected.
Logoff and login back with such a user, click on the dropdown for projects. Expected: User should be able to see project
"newProject990055" because even though the user has no access to list
all projects, and "newProject990055" is new, the user has already
visited it before.
I seriously do not understand how the permissions work.
Let me explain:
I have a Facebook app set in my developer account
I have defined a test app
In my Unity app using the Facebook SDK, Im calling this login function:
string permissions = "public_profile,user_bithday,user_location";
FB.Login (permissions, LoginCallback);
After the callback, I'm asking for the granted permissions and I'm getting:
request response: {"data":[{"permission":"public_profile","status":"granted"},{"permission":"email","status":"granted"},{"permission":"publish_actions","status":"granted"},{"permission":"user_birthday","status":"granted"},{"permission":"user_likes","status":"granted"},{"permission":"user_photos","status":"granted"},{"permission":"user_friends","status":"granted"}]}
I have to say that I'm still experimenting with the SDK making with the same Facebook app, different logins from different Unity projects (from the Editor of course). The permissions I am getting are the one I asked with a project I was developing 3 weeks ago. Because everything was working, I focused on something different. Today I made a new project by asking for the permissions defined in the login function in the point 3.
My question is: why am I getting permissions I didn't ask for?
Will I have the same problem when I'll deploy the app on different devices?
[EDIT]
More important than those, why I'm not getting the permissions "user_location" I'm asking for? It's not even saying that the requested permission has been denied.
[/EDIT]
The idea is to use the same Facebook app but with 2 different Unity projects: one project is a game that will be deployed on iOS and Android and another one is a standalone app for Mac and Windows that will allow the authorized person to modify the game (let's say a game editor). As you can guess, the projects will need different permissions. Is this something duable or because I'm using 2 different projects with the same Facebook app I'll have problems?
Cheers for the help guys :-)
Once a user has granted a certain Facebook app permissions, they stay there unless the developer or the user explicitly take them away; The FB.Login() call is there to ensure that you have, at a minimum, the permissions you've requested.
Incidentally, Facebook recommends asking for permissions only at the exact point you need to use them; Asking for more permissions is done with FB.Login("just_the_new_permission_you_need") and it won't take away what the user gave thus far.
tl;dr yes, using two projects with the same appid means permissions from one will be granted to another and vice-versa.