I'm pretty new to the cost explorer and looking at this scenario:
There's a root(organization) account which has multiple linked accounts like this:
Root Account
- Account B
- Account C
- ...
When I filter a specific Account (AccountB) from the Root account, I see a cost discrepancy comparing to the view from AccountB itself.
here's the image to demonstrate the issue better :
Root account view, filtered by Linked AccountB:
View from AccountB itself:
Any idea/suggestions why I see this discrepancy ? (anything else I need to do to get the same cost for AccountB and root->AccountB ?)
So Saving plans are actually shown in both views, but EDP and Private Rate card discounts are only shown on the root account.
Related
I have created an Organisation with the following set up:-
- Root
-- Acc1 (Management Account)
-- Acc2
-- Acc3
-- Acc4
I have deleted Acc2, Acc3, and Acc4 over a week ago. However, I still cannot remove them from my Organisaton. I get a ConstraintViolationException The member account must be configured with a valid payment method, such as a credit card.
However, I cannot do that as I have deleted them.
The quick solution is to close the account by clicking on it's name and then in the top right clicking on close instead of remove. After 90 days the account and it's resources are unrecoverable.
This is the info that I got off of amazon after trying to solve this issue for myself. The account needs be a standalone account to be removed from under my org.
That's why I got the ConstraintViolationException it then goes into detail about what specifically needs to be added to the account to remove it. In my case:
The member account must be configured with a valid payment method,
such as a credit card.
Meaning that the account needs credit card information to pay for the services it may use in the future. Before, the account didn't need that info because it was linked to the credit card of my organization.
You do have the option of signing into that account and adding the info whatever constraint is needed but that's the whole point - That is not my account and I want it removed.
The only other option is to close the account and wait the 3 months for it to be removed from my org. After that I don't care if it's recoverable or not
Refs:
https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html?icmpid=docs_orgs_console
It is my first expirience in Google Cloud Platform and I'm confused.
I've got an access to a resource:
xxx#gmail.com has granted you the following roles for resource resource_name(projects/project_name/datasets/ClientsExport/tables/resource_name) BigQuery Data Editor
But if I open BigQuery Data Editor, I don't see project_name and resource_name. Search by resource_name also returns no result.
Is it only access that I have in the project (I didn't get another accesses and mails).
Could you please help me with this? Maybe should I get some additional access to resource_name will be available? If is there another way to find the resource?
Thank you in advance!
In the message you have access to BigQuery data inside a table. You can query them from your project, you are autorised to access them (and to write also, because you are editor).
However, this table isn't in your project, it's in another project that's why you don't see it directly in the BigQuery console. In addition, you haven't the right to read the metadata (roles/bigquery.metadataViewer) on the dataset of the other project. Eventually, you can't also view the table schema in the console, but the bq CLI allow you to view it.
I had some discussions with Google BigQuery team about that (because I got the same issue in my company), and updates should happen by the end of the year (or soon in 2022) to fix this "view" issue in the console.
It looks like you have IAM permission to access a specific resource in BigQuery but cannot access it from the GUI.
Some reasons you may not see access on your GUI:
You have permission to interact with BigQuery but don't have access to any of the data.
You aren't a member of the organization which provided the resources and they have higher level permissions (on the org level) which prevents sharing of resources outside of the org.
Your access is restricted to the command line/app level. (If your account is a service account then this is likely the case.)
I have an AWS Amplify application that has a structure with multi-organizations:
Organization A -> Content of Organization A
Organization B -> Content of Organization B
Let's say we have the user Alice, Alice belongs to both organizations, however, she has different roles in each one, on organization A Alice is an administrator and has more privileges (i.e: can delete content or modify other's content), while on Organization B she is a regular user.
For this reason I cannot simply set regular groups on Amplify (Cognito), because some users, like Alice, can belong to different groups on different organizations.
One solution that I thought was having a group for each combination of organization and role.
i.e: OrganizationA__ADMIN, OrganizationB__USER, etc
So I could restrict the access on the schema using a group auth directive on the Content model:
{allow: group, groupsField: "group", operations: [update]},
The content would have a group field with a value: OrganizationA__ADMIN
Then I could add the user to the group using the Admin Queries API
However, it doesn't seem to be possible to add a user to a group dynamically, I'd have to manually create each group every time a new organization is created, which pretty much kills my idea.
Any other idea on how I can achieve the result I'm aiming for?
I know that I can add the restriction on code, but this is less safe, and I'd rather to have this constraint on the database layer.
Look into generating additional claims in you pre-token-generation handler
Basically you can create an attribute that includes organization role mapping
e.g.
{
// ...
"custom:orgmapping": "OrgA:User,OrgB:Admin"
}
then transform them in your pre-token-generation handler into "pseudo" groups that don't actually exist in the pool.
You can see Table A of permissions in GCP's IAM and Administration > IAM page.
Table A has an item called Analyzed Permissions (Extra / Total).
You can see more detailed Table B for that role by clicking on a value such as 2/4 of this item.
Normally this is fine, but the information in Table B appears to be inverted when all permissions for a role are extra or when there are no extra permissions. Is this a bug? Or is it my misunderstanding?
(I use the GCP management screen in the Japanese version, so it may not be reproduced in the English version.)
The explanation may be difficult to understand because it is abstract, so I will give a concrete example.
Suppose the role "Write Log" for a service account is listed as 0/1 in Table A.
This indicates that "Write Log" has no extra permissions (all permissions "Write Log" for that role have been used in the last 90 days).
However, all permissions are displayed in the "Extra Permissions" column on Table B, which is inconsistent (inverted) with Table A.
Conversely, if the permissions for a role look like 6/6 in Table A, it means that none of the permissions for that role are used,
If you open Table B for such a role, it will be treated as if there is no "extra permissions" field and everything is in use (inverted to Table A).
However, roles that are used halfway, such as 3/7 in Table A, are displayed correctly in Table B.
screen shot:
IAM recommender analyse the usage of permission over the last 90 days. It shows X/Y where X is the number of unused permission, and Y the total number of permissions granted.
If there is X=0, the table B show you only the current used permission, not the ununsed, because they aren't
If there is X=Y, the column for the "currently use permission" is empty and all the existing permissions are in the unused column
If there is X>0 adn X<Y, the table B show a mix between the list of currently used permission, and the unused.
If you have a light bulb, it's because IAM recommander has found better roles, and you have propositions to increase your security.
I am trying to linked account within AWS. But the AWS organisation throws the below error while inviting the user
" You cannot add accounts to your organization while it is initializing. Try again later"
I had this problem. It turned out my credit card on file was expired.
In my case it is fixed itself after some hours. It may be some sort of initialization issue that require some time to complete. You can find more information Here
Once the AWS Organization is created, you have to accept the AWS Organization Email from the Master Account, prior to sending the invite or creating child account.
This is how I fixed it today: two things we have to check :
Validate your primary email for master account, they sent verification email to your registered email id.
Check your added credit card details(in my case my card was expired so had to add it again, then it worked).