My application runs in the following error when trying to perform Stackdriver AsyncReporter health check. I can't seem to find which authentication scopes are required for this from the documentation.
io.grpc.StatusRuntimeException: PERMISSION_DENIED: The caller does not have permission
at io.grpc.Status.asRuntimeException(Status.java:535)
at zipkin2.reporter.stackdriver.internal.AwaitableUnaryClientCallListener.onClose(AwaitableUnaryClientCallListener.java:100)
at io.grpc.internal.DelayedClientCall$DelayedListener$3.run(DelayedClientCall.java:463)
at io.grpc.internal.DelayedClientCall$DelayedListener.delayOrExecute(DelayedClientCall.java:427)
at io.grpc.internal.DelayedClientCall$DelayedListener.onClose(DelayedClientCall.java:460)
at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:562)
at io.grpc.internal.ClientCallImpl.access$300(ClientCallImpl.java:70)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:743)
at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:722)
at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Currently, my application is using the following authentication scopes
Scopes in use by default credentials:
[https://www.googleapis.com/auth/pubsub,
https://www.googleapis.com/auth/spanner.admin,
https://www.googleapis.com/auth/spanner.data,
https://www.googleapis.com/auth/datastore,
https://www.googleapis.com/auth/sqlservice.admin,
https://www.googleapis.com/auth/devstorage.read_only,
https://www.googleapis.com/auth/devstorage.read_write,
https://www.googleapis.com/auth/cloudruntimeconfig,
https://www.googleapis.com/auth/trace.append,
https://www.googleapis.com/auth/cloud-platform,
https://www.googleapis.com/auth/cloud-vision,
https://www.googleapis.com/auth/bigquery,
https://www.googleapis.com/auth/monitoring.write]
The prerequisites required for a service account to call the api are
Select or create a Cloud Platform project.
Enable the StackdriverLogging API.
Set up authentication with a service account so you can
access the API.
Check whether your service account is allowed to create.
The Stackdriver Logging APIs prohibit requests made with only an API key and require requests to be authenticated (OAuth2). The Cloud IAM permissions that are needed must be granted to the requesting user. Because they typically access or modify resources that are protected by IAM, the majority of Google Cloud APIs function in this manner. Additionally, there is no "principal" to grant access to if the request only makes use of an API key.
Attaching supporting doc for your reference.
Related
On the Identity Platform section in the Google Cloud Console on the settings page and the triggers tab I added a cloud function named before-signup to the before creation trigger. But I keep getting an error when creating an account
BLOCKING_FUNCTION_ERROR_RESPONSE : HTTP Cloud Function returned an error
403 Forbidden
Your client does not have permission to get URL before-signup from this server
So how do I know which service account is associated with identity platform? And how do I give the identity platform service account permission to call the cloud function?
To resolve the error "HTTP Cloud Function returned an error 403 Forbidden, Your client does not have permission to get URL before-signup from this server", you need to grant the Identity Platform service account access to the Cloud Function. Here are the steps to grant the access:
Identify the service account: To identify the service account
associated with the Identity Platform, navigate to the "IAM & admin"
section of the Google Cloud Console, and then search for "Identity
Platform" in the member filter. The service account associated with
the Identity Platform will be listed as a member.
Grant the access: To grant the service account access to the Cloud
Function, add the service account as a member in the Cloud Function
IAM section and assign the "Cloud Functions Invoker" role to the
service account.
Deploy the updated IAM configuration: Once you have granted the
access, make sure to deploy the updated IAM configuration by
clicking the "Save" button in the IAM section of the Cloud
Function.
This should resolve the error and allow the Identity Platform to call the Cloud Function. Refer to this Google Cloud Functions Error: Forbidden
I am trying to create a Cron job programmatically in the CloudScheduler Google Cloud Platform using the following API explorer.
Reference: Cloud Scheduler Documentation
Even though I have given the user Owner permission and verified it in Policy Troubleshooter that it has cloudscheduler.jobs.create, I am still getting the following error.
{
"error": {
"code": 403,
"message": "The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.create\" for the resource \"projects/cloud-monitoring-saurav/locations/us-central\" (or the resource may not exist).",
"status": "PERMISSION_DENIED"
}
}
I had the same issue. The problem was that the region i specified did not support the cloud scheduler. You seem to have the same issue: "us-central" is not suppported. Try "us-central1"
The error is caused by using a service account that does not have an IAM role that includes the permission cloudscheduler.jobs.create. An example role is roles/cloudscheduler.admin aka Cloud Scheduler Admin. I have the feeling that you have mixed the permission of the service account that you use with Cloud Scheduler (at runtime, when a job triggers something) and the permission of the account currently creating the job (aka your account for example).
You actually need two service accounts for the job to get created. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for the default Cloud Scheduler itself ( which is managed by Google)
Use an existing service account to be used for the call from Cloud Scheduler to your HTTP target or you can create a new service account for this purpose. The service account must belong to the same project as the one in which the Cloud Scheduler jobs are created. This is the client service account. Use this one when specifying the service account to generate the OAuth / OICD tokens.
If your target is part of Google Cloud, like Cloud Functions/Cloud Run update your client service account by granting it the necessary IAM role (Cloud function invoker for cloud functions and Cloud Run Invoker for Cloud Run).The receiving service automatically verifies the generated token. If your target is outside of Google Cloud, the receiving service must manually verify the token.
The other service account is the default Cloud Scheduler service account which must also be present in your project and have the Cloud Scheduler Service Agent role granted to it. This is so it can generate header tokens on behalf of your client service account to authenticate to your target. The Cloud Scheduler service account with this role granted is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the role manually.
Note : Do not remove the service-YOUR_PROJECT_NUMBER#gcp-sa-cloudscheduler.iam.gserviceaccount.com service account from your project, or its Cloud Scheduler Service Agent role. Doing so will result in 403 responses to endpoints requiring authentication, even if your job's service account has the appropriate role.
In my case it required the permission: cloudscheduler.jobs.delete.
I found the role the by permission name: https://cloud.google.com/iam/docs/permissions-reference
It was Cloud Scheduler Admin (roles/cloudscheduler.admin)
Then I added it to my service account roles.
I am setting up a service account in GCP in order to call the Directory API.
But I always get permission error: Not Authorized to access this resource/api.
I have setup this role but no luck. How do I know what permission I need to configure in order to call the API?
Google Directory API is not a part of GCP - hence any roles / permissions you assign to your service account will not work.
You have to create a role and assign it to a user in order to be able to work with this API.
Your service account is not a Domain Admin so it doesn't have access. You can however enable domain-wide-delegation and make the service account impersonate domain admin so your requests will be accepted;
This page describes how to allow members and resources to impersonate, or act as, an Identity and Access Management (IAM) service account. It also explains how to see which members are able to impersonate a given IAM service account.
Have a look at this answer which may be usefull to you. One more document that you may find helpful is "Authorising your request".
I have a use case where I have 2 apps:
React SPA frontend, running on web.myportal.example
Node Express backend, exposing a REST api on api.myportal.example
Both apps are deployed into GCP Compute Engine and are accessible from the Internet. I was able to configure IAP to prevent unauthorized access. I can specify a list of email accounts that are allowed to use the UI and API.
What I need is autorization capability from GCP IAP. Does it have one?
Simple example - some of the API endpoints should only be accessible to folks with a specific group/role membership. How can I extract that from IAP? The only thing IAP leaves me is a GCP_IAAP_AUTH_TOKEN cookie, which I cant even use due to it's definition.
You may try to put an LB in front of each service (one for API, another for an APP) and configure IAP to use them and grant access accordingly.
When an application or resource is protected by IAP, it can only be
accessed through the proxy by members, also known as users, who have
the correct Identity and Access Management (IAM) role. When you grant
a user access to an application or resource by IAP, they're subject to
the fine-grained access controls implemented by the product in use
without requiring a VPN. When a user tries to access a IAP-secured
resource, IAP performs authentication and authorization checks.
But it's not possible to configure IAP to grant different access-level to an API methods based on who logged in. It doesn't look like at allows such fine-grained authorisation management - only you get access or no;
After authentication, IAP applies the relevant IAM policy to check if
the user is authorized to access the requested resource. If the user
has the IAP-secured Web App User role on the Cloud Console project
where the resource exists, they're authorized to access the
application.
How can we validate a third party Amazon Resource Name (ARN) and get all applied IAM permissions or validate certain IAM permissions with the AWS SDK for Java?
I'm not aware of an option to actively retrieve all AWS IAM Permissions applied to an ARN for Cross-Account API Access Using IAM Roles (assuming that's what you are after).
However, you can use the AWS Security Token Service's (STS) DecodeAuthorizationMessage API action (resp. the AWS SDK for Java's decodeAuthorizationMessage(...) method) to get additional information about the authorization status of a request from an encoded message returned in response to an AWS request:
The decoded message includes the following type of information:
Whether the request was denied due to an explicit deny or due to the absence of an explicit allow. For more information, see Determining
Whether a Request is Allowed or Denied in Using IAM.
The principal who made the request.
The requested action.
The requested resource.
The values of condition keys in the context of the user's request.
This should at least allow you to validate certain permissions upfront and/or provide better guidance to your users for exceptions on request failures due to lack of permission.