In order to implement CI pipeline from github to gcp, I have configured workload identity.
SERVICE_ACCOUNT="xyz"
PROJECT_ID="ABC"
Service account created by the command:
gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \
--description="${SERVICE_ACCOUNT}" \
--display-name="${SERVICE_ACCOUNT}"
Added principalSet by the following command:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}#${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_NAME}/attribute.repository/${ORG_NAME}/${REPOSITORY}"
Upto this point was working fine.
But using this account I want to provision infrastructure and deploy applications as well.
So I have used following command:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}#${PROJECT_ID}.iam.gserviceaccount.com" \
--member "serviceAccount:${SERVICE_ACCOUNT}#${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
Likewise some more roles to be added. But I have following error:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.clusterAdmin is not supported for this resource.
Any feedback how to obtain the rights?
Reference: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
Add the IAM policy to the project and not to the service account.
gcloud iam projects add-iam-policy-binding "${PROJECT_ID} \
--member "serviceAccount:${SERVICE_ACCOUNT}#${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
Related
I'm trying to query the GCP IAM recommender API (API documentation here) and fetch role revision recommendations for my project. I'm looking for ACTIVE recommendations only. However, the input filter stateInfo.state filter (listed in the above documentation) is not working for me. It returns the error Invalid Filter. Can someone please let me know what am I doing wrong here? Thanks.
Here's my API query: https://recommender.googleapis.com/v1/projects/my-demo-project/locations/global/recommenders/google.iam.policy.Recommender/recommendations?filter=stateInfo.state:ACTIVE
Please include a minimally reproducible example in questions:
PROJECT=[YOUR-PROJECT-ID]
LOCATION="global"
SERVICES=(
"cloudresourcemanager"
"recommender"
)
for SERVICE in ${SERVICES[#]}
do
gcloud services enable ${SERVICE}.googleapis.com \
--project=${PROJECT}
done
ACCOUNT="tester"
EMAIL=${ACCOUNT}#${PROJECT}.iam.gserviceaccount.com
gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}
# Minimal role for Recommender for IAM
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/recommender.iamViewer
gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
--iam-account=${EMAIL} \
--project=${PROJECT}
# Be careful this overwrites the default gcloud auth account
# Remember to revert this to your e.g. me#gmail.com afterwards
gcloud auth activate-service-account --key-file=${PWD}/${ACCOUNT}.json
TOKEN=$(gcloud auth print-access-token ${EMAIL})
RECOMMENDER="google.iam.policy.Recommender"
PARENT="projects/${PROJECT}/locations/${LOCATION}/recommenders/${RECOMMENDER}"
FILTER="stateInfo.state=ACTIVE"
curl \
--header "Authorization: Bearer ${TOKEN}" \
https://recommender.googleapis.com/v1/${PARENT}/recommendations?filter=${FILTER}
Yields (HTTP 200):
{}
We can list all iam service accounts as follows:
gcloud iam service-accounts list
We can list all iam roles as follows:
gcloud iam roles list
This works fine for one project only.
I have however multiple projects and they are organized by folders. I would like to list therefore all IAM principles and roles in one go. How can this be achieved?
List all Project IDs:
gcloud projects list --format="value(projectId)"
List all Service Account (Emails) by Project (IDs):
PROJECTS=$(\
gcloud projects list \
--format="value(projectId)")
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
gcloud iam service-accounts list \
--project=${PROJECT} \
--format="value(email)"
done
IIUC gcloud iam roles list is a global list
For the custom role (names) in a Project, you want:
gcloud iam roles list \
--project=${PROJECT} \
--format="value(name)"
So perhaps:
PROJECTS=$(\
gcloud projects list \
--format="value(projectId)")
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
gcloud iam roles list \
--project=${PROJECT} \
--format="value(name)"
done
Or perhaps:
gcloud projects get-iam-policy ${PROJECT}
And:
PROJECTS=$(\
gcloud projects list \
--format="value(projectId)")
for PROJECT in ${PROJECTS}
do
echo "Project: ${PROJECT}"
gcloud projects get-iam-policy ${PROJECT}
done
The above can be further filtered|formatted using --filter and --format flags.
We have a Vertex AI model that was created using a custom image.
We are trying to access a bucket on startup but we are getting the following error:
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/...?projection=noAcl&prettyPrint=false: {service account name} does not have storage.buckets.get access to the Google Cloud Storage bucket.
The problem is that I can't find the service account that is mentioned in the error to give it the right access permissions..
Solved it by giving the endpoint the right service account
I am dealing with the same general issue. Vertex AI can't access my Cloud Storage bucket from a custom prediction container.
After digging through a complex tree of GCP Vertex docs, I found this:
https://cloud.google.com/vertex-ai/docs/general/custom-service-account#setup
And
https://cloud.google.com/vertex-ai/docs/predictions/custom-container-requirements#artifacts
UPDATE
After working through this, I was able to get GCS access to work.
Create a new service account and give it proper roles/permissions. You need your PROJECT_ID and PROJECT_NUMBER.
NEW_SA_EMAIL=new-service-account#$PROJECT_ID.iam.gserviceaccount.com
AI_PLATFORM_SERVICE_AGENT=service-$PROJECT_NUMBER#gcp-sa-aiplatform.iam.gserviceaccount.com
gcloud iam service-accounts create $NEW_SA_NAME \
--display-name="New Vertex AI Service Account" \
--quiet
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$NEW_SA_EMAIL" \
--role="roles/storage.admin" \
--quiet
gcloud iam service-accounts add-iam-policy-binding \
--role=roles/iam.serviceAccountAdmin \
--member=serviceAccount:$AI_PLATFORM_SERVICE_AGENT \
--quiet \
$NEW_SA_EMAIL
Upload your model and create the endpoint using the gcloud vertex ai commands...
Associate your new SA with the Vertex AI Endpoint when you deploy the model. You will need the GCP_REGION, ENDPOINT_ID, MODEL_ID, DEPLOYED_MODEL_NAME, and the NEW_SA_EMAIL from the first step.
gcloud ai endpoints deploy-model $ENDPOINT_ID \
--region=$GCP_REGION \
--model=$MODEL_ID \
--display-name=$DEPLOYED_MODEL_NAME \
--machine-type=n1-standard-4 \
--service-account=$NEW_SA_EMAIL
Not able to enable Cloud Build on the project that I am assigned as Owner. I get an error message: "You are missing the required permission: billing.accounts.list" as in following screen-shot
I solved the issue by assigning the roles with gcloud on the terminal.
There must be some glitches on Google Console.
gcloud projects add-iam-policy-binding $GC_PROJECT \
--member "serviceAccount:$GC_PROJECT_NUMBER#cloudbuild.gserviceaccount.com" \
--role roles/run.admin
gcloud iam service-accounts add-iam-policy-binding \
$GC_PROJECT_NUMBER-compute#developer.gserviceaccount.com \
--member="serviceAccount:$GC_PROJECT_NUMBER#cloudbuild.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"
gcloud projects add-iam-policy-binding $GC_PROJECT \
--member "serviceAccount:$GC_PROJECT_NUMBER#cloudbuild.gserviceaccount.com" \
--role roles/owner
I'm trying to automate creation of service accounts for use with GKE via the gcloud command-line tool. I've figured out a flow that appears to mirror the process used by the Google Cloud Console, but my users don't see to receive the appropriate access.
Here's the commands I'm executing in order:
# Environment:
# - uname=<username>
# - email=<user's email address>
# - GCLOUD_PROJECT_ID=<project identifier>
# - serviceAccount="${uname}#${GCLOUD_PROJECT_ID}.iam.gserviceaccount.com"
$ gcloud iam service-accounts \
create "${uname}" --display-name "email:${email}" --format json
$ gcloud projects \
add-iam-policy-binding "${GCLOUD_PROJECT_ID}" \
--member "serviceAccount:${serviceAccount}" \
--role=roles/container.developer --format=json
$ gcloud iam service-accounts keys \
create "${GCLOUD_PROJECT_ID}-${uname}.json" \
--iam-account="${serviceAccount}"
When this executes, it creates a new service account and generates a key file locally. I then try to use this key to get credentials for my Kubernetes cluster.
$ gcloud config configurations create devcluster --activate
$ gcloud config set project devnet-166017
$ gcloud config set compute/zone us-central1-b
$ gcloud auth activate-service-account \
--key-file="${GCLOUD_PROJECT_ID}-${uname}.json"
$ gcloud container clusters get-credentials devcluster
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: \
code=403, message=Required "container.clusters.get" permission for \
"projects/${GCLOUD_PROJECT_ID}/zones/us-central1-b/clusters/devcluster".
It appears that for some reason my service account doesn't have one of the permissions it needs to get credentials, but based on what I've read and what I've observed in the Console, I believe this permission should be part of the roles/container.developer role.
Thanks!
I assume by service account, you mean the Service Account for Google Cloud. Here are the IAM roles related to GKE: https://cloud.google.com/container-engine/docs/iam-integration (search for container.).
First create a service account:
gcloud iam service-accounts create --display-name "GKE cluster access" gke-test
Then create a key:
gcloud iam service-accounts keys create key.json --iam-account=gke-test#[PROJECT_ID].iam.gserviceaccount.com
Now you need to assign some roles to this service account, your options are:
roles/container.admin Full management of Container Clusters and their Kubernetes API objects.
roles/container.clusterAdmin Management of Container Clusters.
roles/container.developer Full access to Kubernetes API objects inside Container Clusters.
roles/container.viewer Read-only access to Container Engine resources.
Again look at https://cloud.google.com/container-engine/docs/iam-integration page for details.
I assign roles/container.viewer (a read-only role, minimum you can assign to get-credentials) to this service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] --role=roles/container.viewer --member=serviceAccount:gke-test#[PROJECT_ID].iam.gserviceaccount.com
Logout on gcloud from your current account:
gcloud auth revoke
Login to gcloud with the service account key:
gcloud auth activate-service-account --key-file=key.json
Try get-credentials:
$ gcloud container clusters get-credentials test --zone us-west1-a
Fetching cluster endpoint and auth data.
kubeconfig entry generated for test.
It works. I tried it with roles/container.developer, which also works.
You can try other permissions and see what works and what doesn't, although you made it clear that the documentation doesn't make it clear which roles have access to container.clusters.getCredentials.