I have service account SA1 which is created in project1 with permission ( cloud function invoker, service account user ). i want to deploy a cloud function CF1 in project2 and specify SA1 in that cloud function as SERVICE_ACCOUNT parameter. while deploying CF1 in project2 i am getting below error even though "service account user" permission exist for this SA1 in project 1 and
SA1 is also added in project 2
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Ok], message=[Missing necessary permission iam.serviceAccounts.act As
for cloud-functions-mixer on the service account SA1.
Grant the role 'roles/iam.serviceAccountUser' to cloud-functions-mixer on the service account SA1.
It's absolutely not clear and it's a great question!
You need 2 things
Firstly, run the proposed command
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=cloud-functions-mixer --role=roles/iam.serviceAccountUser
BUT what is that cloud-functions-mixer?? In fact, it's only the account that runs the command
#for you
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=user:<your email> --role=roles/iam.serviceAccountUser
# for a service account (CI/CD pipeline for instance)
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=serviceAccount:<service account email> --role=roles/iam.serviceAccountUser
Then activate the cross-project project usage, deactivated by default. You can achieve that only if you have an organisation. If you haven't, you can't go to organisation policies
Go to Organization policies
Look for Disable Cross-Project Service Account Usage
Edit, click on customize and add rule to disable the rule
Related
I know you can allow members to impersonate service accounts in GCP. Is it possible to allow one service account to impersonate another?
My use case is I have compute instances used for CI (running without many privileges) under service-account-a#mydomain.google.com.
I need them to be able to impersonate service-account-b#mydomain.google.com, which has privileges on the resources and objects it will deploy.
Is that possible?
Yes, you can grant permission for a service account (SA_A) to impersonate another service account (SA_B).
This requires that the service account (SA_A) possess the Service Account Token Creator role roles/serviceAccountTokenCreator on the resource SA_B.
The following grants SA_A to impersonate SA_B:
gcloud iam service-accounts add-iam-policy-binding [SA_B_FULL_EMAIL] \
--member serviceAccount:[SA_A_FULL_EMAIL] \
--role roles/iam.serviceAccountTokenCreator
REQUIREMENTS
The user executing the above command requires a number of items:
The following APIs must be enabled:
iamcredentials.googleapis.com
cloudresourcemanager.googleapis.com
These commands enable the APIs:
gcloud services enable iamcredentials.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
The user requires the role roles/serviceusage.serviceUsageConsumer.
gcloud projects add-iam-policy-binding [PROECT_ID] \
--member "[ACCOUNT]" \
--role "roles/serviceusage.serviceUsageConsumer"
gcloud iam service-accounts add-iam-policy-binding
Google Cloud – Improving Security with Impersonation
Managing service account impersonation
I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is #cloudbuild.gserviceaccount.com, but I don't see the option to add it on my project's Permissions page.
The key point is that the service account is a resource. You need to add an IAM role for your identity to the service account (the resource). This grants you permissions on the resource (service account).
Open the Google Cloud Console. Go to IAM & Admin -> Service accounts.
Find the service account. Tick the box to the left of the service account.
In the right-hand "Permissions" panel, click ADD MEMBER
Add your IAM member email address. For the role select Service Accounts -> Service Account User.
Click Save
You can also you the CLI:
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT] --member [MEMBER_EMAIL] --role roles/iam.serviceAccountUser
gcloud iam service-accounts add-iam-policy-binding
On the service account you are using, you need to give yourself the role of Service Account User.
Go to IAM -> Service Accounts -> (Your service Account) -> Permissions -> Grant Access
(By doing this you are granting yourself access to use this service account)
See also:
Unable to create a new Cloud Function - cloud-client-api-gae
Cloud Build fails to deploy to Google App Engine - You do not have permission to act as #appspot.gserviceaccount.com
permission error for uploading images to google cloud storage, but I already gave proper permissions on IAM
Error: reportai-images#even-shuttle-250512.iam.gserviceaccount.com does not have storage.objects.create access to reportai-images/images.jpeg.
at Gaxios.request (/home/jvcabral/Projects/reportai_image_upload/node_modules/gaxios/build/src/gaxios.js:70:23)
at process._tickCallback (internal/process/next_tick.js:68:7)
IAM Permissions
The IAM member account does not have the permission storage.objects.create on your project.
To list the IAM member roles assigned to a project execute this command. Replace PROJECT_ID with your Project ID which appears to be even-shuttle-250512.
gcloud projects get-iam-policy PROJECT_ID > project_roles.txt
Review the file project_roles.txt for the member and confirm what roles are assigned to the service account:
reportai-images#even-shuttle-250512.iam.gserviceaccount.com
To add a role to the project granting the service account the required permission:
Windows Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID ^
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com ^
--role=roles/storage.admin
Linux/macOS Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com \
--role=roles/storage.admin
Note that in the previous command I assigned the role Storage Admin. Pick a role that meets your requirements for least privilege. For example roles/storage.legacyBucketWriter is probably more appropriate.
Cloud IAM roles for Cloud Storage
I created a specific service account in GCP for provisioning clusters in my project :
gcloud iam service-accounts create [sa_name]
gcloud projects add-iam-policy-binding \
[project_id] \
--role=roles/container.admin \
--member=serviceAccount:[sa_name]#[project_id].iam.gserviceaccount.com
gcloud iam service-accounts keys create [keyfile_name] \
--iam-account=[sa_name]#[project_id].iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=[keyfile_name]
When I run the command gcloud container clusters create [cluster_name]
I always get :
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Required "container.clusters.create" permission(s) for
"projects/context-platform-staging". See
https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted
for more info.
As you can see, I use roles/container.admin but I even tried to apply the roles/editor and roles/owner to this service account, same behavior.
The only way this command works so far is to use my main google owner account (not a service account).
What am I missing here ?
From the error message, I understood that the service account does not have the permission "container.clusters.create".
Please add the "Container Engine Cluster Admin" and also "Container Engine Admin" roles on the service account that the cluster is being created with:.
To create a cluster, you need both "container.clusters.create" permission on the project. You also need to assign the role “roles/iam.serviceAccountUser” to the user who will use the service account. In this way, the user can access GKE's service account.
For more information and in-depth tutorial, please refer to this article in the GCP documentation.
I attempting to use an activated service account scoped to create and delete gcloud container clusters (k8s clusters), using the following commands:
gcloud config configurations create my-svc-account \
--no-activate \
--project myProject
gcloud auth activate-service-account my-svc-account#my-project.iam.gserviceaccount.com \
--key-file=/path/to/keyfile.json \
--configuration my-svc-account
gcloud container clusters create a-new-cluster \
--configuration my-svc-account \
--project= my-project
--zone "my-zone"
I always receive the error:
...ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
How do I grant my-svc-account access to the default service account for GKE?
After talking to Google Support, the issue was that the service account did not have a "Service Account User" permissions activated. Adding "Service Account User" resolves this error.
Add the following role to the service account who makes the operation:
Service Account User
Also see:
https://cloud.google.com/kubernetes-engine/docs/how-to/iam#service_account_user
https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role
https://cloud.google.com/iam/docs/understanding-roles
For those that ended up here trying to do an Import of Firebase Firestore documents with a command such as:
gcloud beta firestore import --collection-ids='collectionA','collectionB' gs://YOUR_BUCKET
I got around the issue by doing the following:
From the Google Cloud Console Storage Bucket Browser, add the service account completing the operation to the list of members with a role of Storage Admin.
Re-attempt the operation.
For security, I revoked the role after the operation completed, but that's optional.
iam.serviceAccounts.actAs is the exact permission you need from Service Account User
I was getting the The user does not have access to service account... error even though I added the Service Account User role as others have suggested. What I was missing was the organization policy that prevented service account impersonation across projects. This is explained in the docs: https://cloud.google.com/iam/docs/impersonating-service-accounts#enabling-cross-project
Added Service Account User role to service account and it worked for me.