How to add GCP role to the grantable list? - google-cloud-platform

I am trying to get a service account set up in GCP so I can use
docker pull
from my personal shell as well as from Google Cloud Shell, where it works automagically.
I tried this:
gcloud projects add-iam-policy-binding myProject --member=serviceAccount:dockerdude --role=roles/container.admin
But I got this not-very-helpful error:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (dockerdude).
I found the problem: this role isn't grantable ... I used the command
gcloud iam list-grantable-roles
//cloudresourcemanager.googleapis.com/projects/myProject
... and indeed the role container.admin isn't in the list.
My question: how do I make this role grantable? Or is there some other way to get what I'm looking for (docker pull permission from user shells as well as from Google Cloud Shell)?
Thanks much for any insight into this problem whatsoever!

You can use this reference to write your command interactively, Granting a Single Role:
Note: If you want to identify a service account just after it is created, use the numeric ID rather than the email address to ensure that it is reliably identified.
gcloud iam service-accounts add-iam-policy-binding ServiceAccount_ID \
--member=PRINCIPAL --role=ROLE_ID \
--condition=CONDITION
Some missing parameters, but should be…
gcloud iam service-accounts add-iam-policy-binding my-service-account#my-project.iam.gserviceaccount.com \
--member=serviceAccount:duckerdude#example.com --role=/roles/container.clusterAdmin
Also check this very good explanation of the service accounts as they can be described as an identity and a resource, check the full question to get more details:
You have to read the command like this
gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>
Additionally, read this question related to list-grantable-roles command:
They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID

Related

Cloud container clusters create `compute.networks.get` permission error

I am trying to create a cluster with GKE. I have a project I have been using already.
When I run
gcloud container clusters create cluster1
I get the following:
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.
The same thing happens when I use the web UI. Both my service account and my user have owner roles.
I have tried the following to get the cluster create command to work:
I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
--member serviceAccount:<my-user>#<my-project>.iam.gserviceaccount.com \
--role roles/compute.admin
I read enabling the container api service was required
gcloud services enable container.googleapis.com
Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>#<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
I also tried authenticating with my account user:
gcloud auth login
None of these work and I can't create a cluster
I think I will answer my own question here. From service account docs
When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.
Debug:
gcloud container subnets list-usable --project service-project --network-project shared-vpc-project
If you get warning in output:
WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED:
Google Compute Engine: Required 'compute.projects.get' permission for
'projects/shared-vpc-project'
It means your google managed gke service account in host project doesn't exist.
To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.
I think you should set the compute engine service account permission:
gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER]-compute#developer.gserviceaccount.com \
--role roles/compute.admin

Missing Cloud Function User Agent role in Google Cloud IAM

I'm working on a series of Cloud Functions in one Google Cloud project and, for some reason, I suddenly get this error:
Deployment failure:
Missing necessary permission resourcemanager.projects.getIamPolicy for service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com on resource projects/la-cloud-functions. Please grant service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com the Cloud Functions Service Agent role. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=Cloud Functions Service Agent'
Besides the badly formatted error response (you can't have --role=Cloud Functions Service Agent - it should be --role=roles/cloudfunctions.serviceAgent), when I try to run the amended command:
gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=roles/cloudfunctions.serviceAgent
I get this error:
The requested URL <code>/v1/projects/la-cloud-functions/serviceAccounts/projects/la-cloud-functions:getIamPolicy?alt=json</code> was not found on this server.
Finally, trying to assign the Cloud Functions Server Agent role through the console gave me another surprise - the role is missing from the list, where it should be under Service Management:
I have tried to reset the service account by re-enabling the Cloud Functions API with this command:
gcloud services enable cloudfunctions.googleapis.com
But again, no success.
Anyone have any ideas on how to fix this problem and make the Cloud Functions Service Agent role available again?
TIA - Joe
Try the following steps to solve this:
Disable Cloud Functions API:
gcloud services disable cloudfunctions.googleapis.com --project la-cloud-functions
Wait about a minute for the disable to complete.
Delete the cloud functions member account using the CLI or using the GCP Console under IAM.
gcloud projects remove-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
Wait about a minute. Then verify that this member has been removed in the GCP Console under IAM.
Enable Cloud Functions API:
gcloud services enable cloudfunctions.googleapis.com --project la-cloud-functions
Go back to the GCP Console. You should find a new Google Cloud Functions Service Agent member.
Note:
You are using the wrong command to add cloudfunctions.serviceAgent. Here is the correct command:
gcloud projects add-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"

(gcloud.projects.list) PERMISSION_DENIED

I have a machine that needs to run the following gcloud command:
gcloud projects list --format=json
The output error that gives me:
ERROR: (gcloud.projects.list) PERMISSION_DENIED: Request had insufficient authentication scopes.
Is pretty obvious that the current configuration and account set for the machine do not have the permissions.
Funny that when I use gcloud compute instances list --project=<project_ID> --format=json
It gives me a list of the machines listed in the project I specify.
I enabled the Google Resource Manager API
I even created some service account credentials and activated them in the machine. Still the same error.
In the SDK documentation there is no reference on how to enable credentials to see other projects
Anyone had this issue before? I saw outdated questions whose solutions didn't work out for me.
Edit
I should mention that the machine in question is a GCE instance and there is no way (unless I install manually the SDK, which is a mess I am not going to get into) to update the SDK.
Cloud API access scopes are set manually and there is no mention of the "Resource Manager" and i can't seem to add or remove any new API Accesses
According to this document, gcloud projects list shows all the active projects were the account has the Owner, Editor or Viewer project level role. As long as the service account you activated in your instance has one of those roles in a gcp project, you should be able to run the command.
For example, from your cloud shell grant the viewer role to your service account:
gcloud projects add-iam-policy-binding <your_project_id> \
--member serviceAccount:<your_service_account> --role roles/viewer
Activate the service account in your instance using the json key file:
gcloud auth activate-service-account --key-file=/path/key.json
Run the projects list command:
gcloud projects list --format=json

How do I list the roles associated with a gcp service account?

In the google cloud gui console I went to "IAM & admin" > "Service accounts" and created a service account named "my-service-account" with the viewer role.
I then ran this command:
gcloud iam service-accounts get-iam-policy my-service-account#mydomain.iam.gserviceaccount.com
and saw this output:
etag: ACAB
According to the docs this means this service account has no policy associated with it. So I assigned it a "role" which is not included in its "policy".
How do I list the roles associated with a service account?
EDIT:
Thanks to the excellent answer to this question I can now loop over all projects and get what I want. so, depending on your version of these cmd tools, this should list all role bindings of a single service account across all projects:
gcloud projects list | \
awk '{print $1}' | \
xargs -I % sh -c "echo ""; echo project:% && \
gcloud projects get-iam-policy % \
--flatten='bindings[].members' \
--format='table(bindings.role)' \
--filter='bindings.members:YOU-SERVICE-ACCOUNT#blah.com' \
;"
To filter on a specific service account, the following gcloud commmand does the trick:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
Gives the nice output:
ROLE
roles/cloudtrace.agent
roles/servicemanagement.serviceController
roles/viewer
The format param can of course be tweaked to suit your specific needs.
In Google Cloud you have IAM policies for projects and for service accounts.
With IAM policies for the project you define who can perform a specific action on a resource in your Google Cloud project.
Adding the ´Viewer´ Role to your service account you modified the project policy (i.e. what your service account can do inside the project)
On the other hand the IAM policies for service accounts is used to control who has the ownership and who can access to the service accounts and their settings.
This is what you were retrieving with the command you posted, but you were not obtaining anything as you were getting the policy for the service account instead of the one for the project.
In order to get the IAM policy for the project that will contain the members and their corresponding roles you can run the following command:
gcloud projects get-iam-policy PROJECT_ID
You can find further information about service accounts in the following links:
https://cloud.google.com/iam/docs/service-accounts
https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
You can use this command to list resources and roles assigned to a service account:
gcloud beta asset search-all-iam-policies --scope=organizations/123 --query="policy:456#cloudservices.gserviceaccount.com" | egrep "role:|resource:|gserviceaccount"
You can change scope to a folder or a project as long as you have the cloudasset.assets.searchAllIamPolicies permission upon the scope.
More details: How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?
To see roles per service account in the console:
Copy the email of your service account (from IAM & Admin -> Service Accounts - Details);
Go to: IAM & Admin -> Policy Analyzer -> Custom Query;
Set Parameter 1 to Principal. Paste the email into Principal field;
Click Continue, then click Run Query.
You'll get the list of roles of the given service account.

When creating Google Cloud service accounts do you have to authorize the key after you create it?

When you make a Google Cloud service account using the gcloud command line interface there's a gcloud iam service-accounts keys create to create a key. Looking in the web console, it appears that command creates and registers the key with the account.
Is that sufficient to active the service account for use with they generated JSON key file? Or do you also have to call:
gcloud auth activate-service-account <IAM> --key-file=<JSON file from the keys create command>
The Google docs are a little unclear here as to whether that last step is necessary or not. The console shows no changes to the service account but the command executes successfully if you do make the call.
Creating a key via gcloud iam service-accounts keys create does NOT immediately make it available to use with gcloud commands. You indeed need to activate via gcloud auth activate-service-account.
Use
gcloud auth list
to view your set of credentials. Moreover gcloud uses currently active credentials. You can view your current settings by running
gcloud config list
Also it is possible to use various credentials just by adding extra --account flag to any gcloud command. For example:
gcloud compute zones list --account my_account#gmail.com
where account is previously was obtained via gcloud auth login or gcloud auth activate-service-account and appears in gcloud auth list.
You do not have to use activate-service-account. You can instead use the environment variable 'CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE' to specify your service account json key.
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE="./service-account.json" \
gcloud deployment-manager deployments \
create $DEPLOYMENT \
--project $PROJECT \
--template resources.jinja \
--properties deployment:$DEPLOYMENT,project:$PROJECT
I found this option here:
https://serverfault.com/questions/848580/how-to-use-google-application-credentials-with-gcloud-on-a-server