Hi I am a newbie and would greatly appreciate some help.
I am trying to analyze the current roles/permissions in the current GCP projects and consolidate the different roles/permissions in use today. There are many projects. Is there a way to check all of them?
One way to check the inuse role of a certain project is using this command in your cloud shell:
gcloud projects get-iam-policy <project_id> | grep role
The command:
gcloud projects get-iam-policy <PROJECT_ID_OR_NUMBER>
lists the IAM policy of a project. It contains users and their specific roles in that project.
grep role
reduces the output of the 1st command to roles for readability purposes.
If you want to see full output with users and service account and their corresponding roles, you may remove the grep role command.
To check out for more details regarding iam policy you may refer to this GCP documentation for project level:
https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
Related
I'm using gcloud projects add-iam-policy-binding ... command to add role: roles/bigquery.jobs.create (because this is necessity if you want to be able to run query in BigQuery GCP project).
I get an output:
INVALID_ARGUMENT: Role roles/bigquery.jobs.create is not supported for this resource.
Problem here is I'm unable to set this through bq CLI as well, because it seems like permissions can be added on table/dataset level only. Anyone knows the possible solution (unix shell)?
The IAM role you mentioned in the question does not exist. It is a permission rather than a role.
The list of roles and their descriptions are provided in the BigQuery Predefined IAM roles
I want to run my google cloud server everyday on specific times. I set up an instance schedule for that but when i try to link my vm to the schedule it gives me the following error:
Compute Engine System service account service-390738840624#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start] permissions applied in order to perform this operation.
Does anyone know how to solve this?
The service account service-390738840624#compute-system.iam.gserviceaccount.com does not have a role with the permission compute.instances.start.
The following IAM roles have the required permission:
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
The following command will add the first role to the service account:
Replace $PROJECT_ID with your Project ID (not the project name).
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:service-390738840624#compute-system.iam.gserviceaccount.com \
--role roles/compute.instanceAdmin
Your account for which you are running the command, must have the privilege to grant/modify IAM roles on a service account. If you do not have the correct permissions, you will need to ask the Project Owner or Editor to perform this for you.
The CLI answer works but in case you dont use terminal here are the steps directly on the platform:
go to IAM
on the right side of the screen select "Include Google-provided role grants"
Find Principal that contain text "compute-system.iam.gserviceaccount.com"
edit (with little pen on the right)
from the popup shown select "+Add another role", select role "Compute Instance Admin" (can show beta or v1 in the brackets)
this fixed my issue
In order to complete the task, GCP is asking you to give the service account “service-390738840624#compute-system.iam.gserviceaccount.com” access to use “compute.instances.start” but the service account doesn't have the right permissions to execute the task.
When you set up an instance to run as a service account, you determine
the level of access the service account has by the IAM roles that you
grant to the service account. If the service account has no IAM roles,
then no API methods can be run by the service account on that
instance.
To grant, change, and revoke access to a single service account, please refer to this guide.
Be aware that to manage access to a service account, you need a role that includes the following permissions:
*iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy*
If you want to know which are the permission included in your account, please refer to this guide.
If you don't have the appropriate access to grant permissions, please refer to your system administrator.
To know more about compute engine roles and permissions, please follow this link.
If you wish to know more about services accounts, please follow this link.
To know more about the process of scheduling compute instances with Google Scheduler, please follow this link.
I am going thru a Qwicklabs tutorial on GCP IAM.
At some point, it mentions that
Use the gcloud iam list-grantable-roles command to return a list of
all roles that can be applied to a given resource.
However the example cited lists the grantable roles by going throughout the entire project:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID
Is there a way to run the above command but only on a specific resource, say Stackdriver or BigQuery ?
Is there a way to run the above command but only on a specific
resource, say Stackdriver or BigQuery ?
Yes. From the following examples, you should notice a naming pattern.
This link is Google's document on resource naming.
If you want to go deeper than the project then you must specify an actual resource. You cannot just specify BigQuery, you must specify the dataset in BigQuery. For Stackdriver you must specify an actual log name.
For some resources, gcloud provides the command-line option --uri. This will display the resource name:
gcloud compute instances list --uri
Note: The command line option --uri is not supported for all commands. Neither logging nor Biquery support --uri.
Compute Engine:
gcloud iam list-grantable-roles //compute.googleapis.com/projects/[PROJECT_ID]/zones/[ZONE]/instances/[VM_NAME]
BigQuery:
gcloud iam list-grantable-roles //bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]
Stackdriver Logging:
gcloud iam list-grantable-roles //logging.googleapis.com/projects/[PROJECT_ID]/logs/cloudbuild
There are several ways my user can get privileges in a Google Cloud Platform project. Direct role and privilege assignment, act as service accounts, different group membership.
So given a GCP project, how can I list the active privileges for my user?
Usually, in GCP, they are called "Permissions". For ease of use, those permissions are grouped in "Roles".
Each user can have different roles in your project. To get a full list of the accounts having each role in a project, you can use the Resource Manager API to get the IAM policies.
Long story short, make sure that gcurl is properly configured and just run the following command, filtering the output according to your needs:
curl -XPOST https://cloudresourcemanager.googleapis.com/v1/projects/$(gcloud config get-value project):getIamPolicy -d'{}' -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json'
gcloud projects get-iam-policy $PROJ \
--flatten="bindings[].members" \
--format='table(binding.role)' \
--filter="bindings.members:user:$USER"
USER is like email (me#org.com), PROJ is like project-123456.
UPDATE To search across all resources:
gcloud asset search-all-iam-policies --query=policy:$EMAIL
I am trying to create a Kubernetes cluster in Google Cloud Platform and I receive the following error when I try to create the cluster from the Web app:
An unknown error has occurred in Compute Engine: "EXTERNAL: Google
Compute Engine: Required 'compute.zones.get' permission for
'projects/my-project-198766/zones/us-west1-a'". Error code: "18"
When I use gcloud I receive this response:
(gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/my-project-198766/zones/us-west1-a'
Please note that I have the Owner role and I can create VM instances without any issues.
Any ideas?
This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.
This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.
gcloud projects get-iam-policy [project-id]
From the list, you can check whether below service account has the editor permission or not.
[id]#cloudservices.gserviceaccount.com
To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.
Hope this helps.
in my case I deleted the service accounts / IAM's or whatever and that very same error message popped up, when I tried to create a kubernetes cluster.
I asked Google to recreate my service accounts, and they mentioned that you can recreate service accounts and their permissions simply by enabling them again. So, in my case I ran the following two commands in order to make kubernetes work again:
gcloud services enable compute
gcloud services enable container
Here is the link they gave me:
https://issuetracker.google.com/64671745#comment2
I think I got it. I tried to follow the advice from GitHub. The permissions I needed to set on my account (called blahblah-compute#developer.gserviceaccount.com) were:
roles/compute.instanceAdmin
roles/editor
roles/iam.serviceAccountUser
The last one seemed to be crucial.
For me recreating the service account with a new name from the console fixed the issue. I have only given the "Editor" role to the service account
I had accidently deleted the compute-service account. I had to follow all the steps mentioned above ie.
undelete the compute-service account
add the permission back to the service account - editor, serviceaccountuser, computeinstanceAdmin
Enable again compute and container services. Although these were not disabled, running gcloud services enable compute container, created some default service accounts for the compute robot such as service-#compute-system.iam.gserviceaccount.com and service-#container-engine-robot.iam.gserviceaccount.com
Hope this helps
As indicated by #Taher, that's most likely due to missing permissions for Google managed service accounts. If after checking the IAM policies for your project with gcloud projects get-iam-policy [project-id] you do not see the permissions listed, then you can add the required permissions by running the following:
project_id=[your-project-id]
project_number=$(gcloud projects describe $project_id --format='value(projectNumber)')
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#compute-system.iam.gserviceaccount.com" \
--role="roles/compute.serviceAgent"
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#container-engine-robot.iam.gserviceaccount.com" \
--role="roles/container.serviceAgent"
The full list of Google managed service accounts (service agents) is available here.