I have a superset role I created, and I assigned this role to a user. The goal was that the user will be able to see a dashboard created by another user (view only) and this user get "Access Denied" on some of the charts in the dashboard. Is there away to see which permissions are missing?
Related
Expecting to see this (doing a video tutorial):
I'm now seeing:
Curious if something changed? If so is the best workaround to add a private key to the user via the user's security tab within IAM?
AWS changes all the time!
As per the message in blue, you can generate access keys after you create the user. Go to the Security credentials tab on the IAM User.
... without giving access to everything in project with Roles like Editor.
Apparently giving access to Notebooks Admin is not sufficient. User gets 403 error.
Turns out that authentication for the notebook proxy that is automatically set up by google requires that user has access to use the default compute service account. So, apart from giving proper role like Notebooks Admin. You need to:
Locate the default compute service account for your project
Give user in question access to Role "Use Service Account" on the service account permissions tab.
I need to set stackdriver console view permission for set of user.
Currently I have assigned them
roles/logging.viewer
role. But they cannot access the gcp console to view the stackdriver log.
For now I have given them project viewer role to access the log in gcp console.
Can this be done in some other way.
According to the documentation and as mentioned by #pradeep above, the role with the title: “Logs Viewer” if given to a user, the user is indeed granted the permissions to view the Stackdriver Logs in the GCP Logging Console View. You may verify this, as per documentation, in order to view (minimal read-only access) the Stackdriver Logs in the GCP Console, the following permissions are necessary:
logging.logEntries.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
resourcemanager.projects.get
, which are included in the aforementioned role.
I reproduced your case by visiting the “IAM & admin” section in my GCP Console. I added a new member of a gmail account. In the picture below, you may see the available options when adding a new member:
While selecting a role, I typed “log” in the “Type to filter” search field and added the role “Logs Viewer”, as you can see below:
The user with the corresponding email, which I had just added, was able to view the logs in the console by selecting the corresponding project.
Additionally, Google Groups are a convenient way to apply an access policy to a collection of users. My example though was examining one user with a gmail account.
Some additional information that you might find useful:
During my investigation, I figured out that users with the “Logs Viewer” role, will not be able to view the logs using "gcloud logging logs list" command, instead they will receive an error indicating that a permission is missing from the role. The permission needed in order to run the "gcloud logging logs list" command which is "serviceusage.services.usage" permission which is used by "Editor" and project "Owner" role and other roles. I understand this is not your issue, but I mention this as well just in case you encounter it.
There is a Public Issue Tracker about this matter to include the permission “serviceusage.services.use” in role roles/logging.viewer by default so you will not have to do it manually in the future. For now you will need to include the permission manually.
As i am not sure why your users can not view the Logs in the console, since my reproduction was successful, could you please attach a screenshot of the issue and further elaborate on the description of your question?
(for example:
describe the steps of how you are granting the roles/logging.viewer
does your workaround (granting project viewer) allow the users to view the Logs via Console?
do the users or you receive an error while trying to view Logs when roles/logging.viewer was granted?
)
If you give a user roles/logging.viewer permission then they can only view StackDriver service, they cannot access other service for example Storage.
What error do you get when giving only roles/logging.viewer ? Can you attach screenshot as well?
We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).
I am trying to login to the APP publisher after creating a user and assigning the internal/Publisher role to it, but every time it gives me the error as
No Privileges to login. You do not have the permission to login to this application. Please contact your administrator and request permission.
The console error is
User does not have permission to access the publisher application.Make sure the user has the publisher role.
If the user has the internal/publisher role assigned, logging in should be possible.
Can you please mention the exact steps you are executing and any other changes made to configurations.
However there is a known issue [1] where we can't use a new role with permission identical to that of the internal/publisher role.
If you are trying to use such a newly created role, you can try the workaround mentioned in [1]
[1] https://wso2.org/jira/browse/APPM-796