So I'm pulling my hair out over this and reaching out here for help. I'm trying to set up a service account with Cloud Translation, and Text-to-speech enabled, but we keep getting this response:
[error] {
"message": "Cloud IAM permission 'cloudtranslate.generalModels.predict' denied. ",
"code": 7,
"status": "PERMISSION_DENIED",
"details": []
}
I have confirmed that the service account has the "cloudtranslate.generalModels.predict" permission, and showing the "Cloud Translation API User" role. We've also confirmed that it works with a different Service account that my colleague set up in his personal Google console profile. But, we need this setup with an account through our org.
I did verify that the service account has the permission from the IAM Policy Troubleshooter so and that my organization's admin sees that the service account is granted access through ancestor policies.
So what else can we check?
Edit: Ok, turned out we had a hard-coded value for resource location, which was set to the wrong project. So of course it was coming back as permission denied.
Ok, turned out we had a hard-coded value for resource location, which was set to the wrong project. So of course it was coming back as permission denied.
Related
I am granted with a customized role with below permissions
bigquery.connections.delegate
bigquery.savedqueries.get
bigquery.savedqueries.list
logging.views.access
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.multipartUploads.abort
storage.multipartUploads.create
storage.multipartUploads.list
storage.multipartUploads.listParts
storage.objects.create
storage.objects.get
storage.objects.list
When I try to create a transfer job to bring data into a bucket/folder that I created,
this error pops up (Failed to obtain the location of the GCS bucket contributed Additional details: project-720965328418#storage-transfer-service.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. Permission 'storage.buckets.get' denied on resource (or it may not exist).)
However, this project doesn't have any service account (I can view this because I have a different account with the owner privilege)
You are looking in the wrong place. Go to IAM & Admin -> IAM which is a different screen. Then, click the checkbox located in the top right Include Google-managed role grants. If the service account still does not show, click the GRANT ACCESS button and enter the email address.
I've created Service Account A and granted roles Service Account Admin and Service Account Key Admin. I did this work in the GCP Console.
Service Account A's function is to create other service accounts programmatically, using the GCP Java SDK. It successfully creates new service accounts, but when it goes to create a key for the newly created service account, I get the following response:
{
"code": 403,
"errors": [
{
"domain": "global",
"message": "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/<new_service_account_name>#<project_id>.iam.gserviceaccount.com.",
"reason": "forbidden"
}
],
"message": "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/-/serviceAccounts/<new_service_account_name>#<project_id>.iam.gserviceaccount.com.",
"status": "PERMISSION_DENIED"
}
I've tried waiting to see if perhaps I tried to create the key too soon after creating the service account, but waiting hours resulted in no change.
Service Account A can successfully create a key for itself, just not for other service accounts it creates.
How do I resolve?
You have one of three problems:
Service Account A actually does not have the IAM role Service Account Key Admin in the project. Use the CLI command gcloud projects get-iam-policy and double-check.
Your code is using the wrong identity. You believe that you are using the service account but instead, another identity is being loaded by ADC (Application Default Credentials), or you made a mistake in your code.
You assign the correct role but on the service account instead of the project. Use the CLI command gcloud iam service-accounts get-iam-policy. If you find the role listed in the output, you assigned the role in the wrong place. Use the CLI command gcloud projects add-iam-policy-binding instead.
Note: There is a fourth method to prevent you from creating service account keys. Constraints might be enabled:
Restricting service account usage
In an identity pool in AWS Cognito I am trying to make users assume an IAM Role based on the group that they belong to in an user pool. Whenever I select Edit Identity Pool > Authentication Providers > "Choose Role From Token" and then click save changes, I get a banner at the top of my screen saying changes saved successfully, but if I go back and look at the settings they have returned to "Use Default Role" instead of "Choose Role From Token". Is this a bug, do I have something configured wrong where that is an invalid option, or another potential issue?
Here is an image of what settings I select and want to take effect
Here is the state that it currently is and what it returns to after I press save changes
AWS CLI Command for Setting Identity Pool Role with Option "Choose Role From Token"
aws cognito-identity set-identity-pool-roles --identity-pool-id "IDENTITY POOL ID" --roles authenticated="Auth IAM Role ARN",unauthenticated="UnAuth IAM Role ARN" --role-mappings cognito-idp.<<AWS REGION>>.amazonaws.com/<<USER POOL ID>>:<< APP CLIENT ID>>="{Type="Token", AmbiguousRoleResolution="Deny"}"
I am confident that this must be a bug with the AWS web console and not a fault of my own. After trouble shooting as much as I could, I set up the AWS CLI and ran the necessary commands from there and it worked on the first try. After revisiting the page in the AWS web console the changes were reflected properly and my authentication now works properly.
I had same problem with UI, thanks for this post, I tried the CLI.
identity_roles.json
{
"IdentityPoolId": "us-east-1:pool_id",
"Roles": {
"unauthenticated": "arn:aws:iam::account_id:role/UnAuthDefaultRole",
"authenticated": "arn:aws:iam::account_id:role/AuthDefaultRole"
},
"RoleMappings": {
"cognito-idp.us-east-1.amazonaws.com/user-pool-id:app-id": {
"Type": "Token",
"AmbiguousRoleResolution": "AuthenticatedRole"
}
}
}
aws cognito-identity get-identity-pool-roles --identity-pool-id us-east-1:identity_pool_id
aws cognito-identity set-identity-pool-roles --cli-input-json file://pwd/identity_roles.json
I am trying to apply the role binding below to grant the Storage Admin Role to a GCP roleset in Vault.
resource "//cloudresourcemanager.googleapis.com/projects/{project_id_number}" {
roles = [
"roles/storage.admin"
]
}
I want to grant access to the project level, not a specific bucket so that the GCP roleset can access and read/write to the Google Container Registry.
When I try to create this roleset in Vault, I get this error:
Error writing data to gcp/roleset/my-roleset: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-roleset
Code: 400. Errors:
* unable to set policy: googleapi: Error 403: The caller does not have permission
My Vault cluster is running in a GKE cluster which has OAuth Scopes for all Cloud APIs, I am the project owner, and the service account Vault is using has the following permissions:
Cloud KMS CryptoKey Encrypter/Decrypter
Service Account Actor
Service Account Admin
Service Account Key Admin
Service Account Token Creator
Logs Writer
Storage Admin
Storage Object Admin
I have tried giving the service account both Editor and Owner roles, and I still get the same error.
Firstly, am I using the correct resource to create a roleset for the Storage Admin Role at the project level?
Secondly, if so, what could be causing this permission error?
I had previously recreated the cluster and skipped this step:
vault write gcp/config credentials=#credentials.json
Adding the key file fixed this.
There is also a chance that following the steps to create a custom role here and adding that custom role played a part.
I've exported MySQL Database following the MySQL Export Guide successfully.
Now, I'm trying to import MySQL Database following the MySQL Import Guide.
I've checked the permissions for the service_account_email I'm using, and I have allowed both Admin SQL and Admin Storage permissions.
I was able to successfully activate my service account using this command locally:
gcloud auth activate-service-account <service_account_email> --key-file=<service_account_json_file>
After I ran the command:
gcloud sql import sql <instance> <gstorage_file> --database=<db_name> --async
I got this information:
{
"error": {
"errors": Array[1][
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
Other Things I've Tried
I also tried using the service_account_email of my SQL instance, which came from:
gcloud sql instances describe <instance_name>
But, it seems to have the same error.
Question
Based on the REST API JSON error I'm given, how do I "login" using the service_account_email so I wouldn't get the 401 Error?
Problem is about the permission of database instance service account to write on created bucket. Steps to solve this issue
1) Go to your Cloud SQL Instance and copy service account of instance (Cloud SQL->{instance name}->OVERVIEW->Service account)
2) After copy the service account, go the Cloud Storage Bucket where to want to dump and set desired permission to that account (Storage->{bucket name}->permissions->add member).
The cloud SQL instance is running under a Google service account that is not a part of your project. You will need to grant this user permissions on the file in Cloud Storage that you want to import. Here is a handy dandy bash snippet that will do that.
SA_NAME=$(gcloud sql instances describe YOUR_DB_INSTANCE_NAME --project=YOUR_PROJECT_ID --format="value(serviceAccountEmailAddress)")
gsutil acl ch -u ${SA_NAME}:R gs://YOUR_BUCKET_NAME;
gsutil acl ch -u ${SA_NAME}:R gs://${YOUR_BUCKET_NAME}/whateverDirectory/fileToImport.sql;
The first line gets the service account email address.
The next line gives this service account read permissions on the bucket.
The last line gives the service account read permissions on the file.
Google also has some of the worst error reporting around. If you get this error message it might also be that you entered a PATH incorrectly. In my case it was my path to my bucket directory. Go figure, I don't have permissions to access a bucket that doesn't exist. Technically correct but hardly useful.
After performing some research, and based in the permission error, these are the steps that I find more useful for you to troubleshoot the issue:
In order to easier test ACLs and permissions, you can:
Create and download a key for a service account in question
Use 'gcloud auth activate-service-account' to obtain credentials of service account
Use gsutil as usual to see if you can access the object in question
You might need to grant additional IAM role such as 'roles/storage.admin' to service account in question, see more information here.
According to the google Docs
Describe the instance you are importing to:
gcloud sql instances describe INSTANCE_NAME
Copy the serviceAccountEmailAddress field.
Use gsutil iam to grant the storage.objectAdmin IAM role to the service account for the bucket.
gsutil iam ch serviceAccount:SERVICE-ACCOUNT:objectAdmin gs://BUCKET-NAME
Then Import the database