CloudScheduler 403 Permission denied while creating - google-cloud-platform

I am trying to create a Cron job programmatically in the CloudScheduler Google Cloud Platform using the following API explorer.
Reference: Cloud Scheduler Documentation
Even though I have given the user Owner permission and verified it in Policy Troubleshooter that it has cloudscheduler.jobs.create, I am still getting the following error.
{
"error": {
"code": 403,
"message": "The principal (user or service account) lacks IAM permission \"cloudscheduler.jobs.create\" for the resource \"projects/cloud-monitoring-saurav/locations/us-central\" (or the resource may not exist).",
"status": "PERMISSION_DENIED"
}
}

I had the same issue. The problem was that the region i specified did not support the cloud scheduler. You seem to have the same issue: "us-central" is not suppported. Try "us-central1"

The error is caused by using a service account that does not have an IAM role that includes the permission cloudscheduler.jobs.create. An example role is roles/cloudscheduler.admin aka Cloud Scheduler Admin. I have the feeling that you have mixed the permission of the service account that you use with Cloud Scheduler (at runtime, when a job triggers something) and the permission of the account currently creating the job (aka your account for example).
You actually need two service accounts for the job to get created. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for the default Cloud Scheduler itself ( which is managed by Google)
Use an existing service account to be used for the call from Cloud Scheduler to your HTTP target or you can create a new service account for this purpose. The service account must belong to the same project as the one in which the Cloud Scheduler jobs are created. This is the client service account. Use this one when specifying the service account to generate the OAuth / OICD tokens.
If your target is part of Google Cloud, like Cloud Functions/Cloud Run update your client service account by granting it the necessary IAM role (Cloud function invoker for cloud functions and Cloud Run Invoker for Cloud Run).The receiving service automatically verifies the generated token. If your target is outside of Google Cloud, the receiving service must manually verify the token.
The other service account is the default Cloud Scheduler service account which must also be present in your project and have the Cloud Scheduler Service Agent role granted to it. This is so it can generate header tokens on behalf of your client service account to authenticate to your target. The Cloud Scheduler service account with this role granted is automatically set up when you enable the Cloud Scheduler API, unless you enabled it prior to March 19, 2019, in which case you must add the role manually.
Note : Do not remove the service-YOUR_PROJECT_NUMBER#gcp-sa-cloudscheduler.iam.gserviceaccount.com service account from your project, or its Cloud Scheduler Service Agent role. Doing so will result in 403 responses to endpoints requiring authentication, even if your job's service account has the appropriate role.

In my case it required the permission: cloudscheduler.jobs.delete.
I found the role the by permission name: https://cloud.google.com/iam/docs/permissions-reference
It was Cloud Scheduler Admin (roles/cloudscheduler.admin)
Then I added it to my service account roles.

Related

How do I find the service account associated with Identity Platform?

On the Identity Platform section in the Google Cloud Console on the settings page and the triggers tab I added a cloud function named before-signup to the before creation trigger. But I keep getting an error when creating an account
BLOCKING_FUNCTION_ERROR_RESPONSE : HTTP Cloud Function returned an error
403 Forbidden
Your client does not have permission to get URL before-signup from this server
So how do I know which service account is associated with identity platform? And how do I give the identity platform service account permission to call the cloud function?
To resolve the error "HTTP Cloud Function returned an error 403 Forbidden, Your client does not have permission to get URL before-signup from this server", you need to grant the Identity Platform service account access to the Cloud Function. Here are the steps to grant the access:
Identify the service account: To identify the service account
associated with the Identity Platform, navigate to the "IAM & admin"
section of the Google Cloud Console, and then search for "Identity
Platform" in the member filter. The service account associated with
the Identity Platform will be listed as a member.
Grant the access: To grant the service account access to the Cloud
Function, add the service account as a member in the Cloud Function
IAM section and assign the "Cloud Functions Invoker" role to the
service account.
Deploy the updated IAM configuration: Once you have granted the
access, make sure to deploy the updated IAM configuration by
clicking the "Save" button in the IAM section of the Cloud
Function.
This should resolve the error and allow the Identity Platform to call the Cloud Function. Refer to this Google Cloud Functions Error: Forbidden

IAM issue with Google Cloud Run service account

I am trying to deploy my AutoML trained model using Cloud Run, but am having difficulties with IAM permissions. I'm using this as a guide, and keep getting the following error at the build step. I'm new to Cloud Run/GCP but as far as I can see, I have granted the right roles to the right accounts. I appreciate any assistance you can provide as I'm really stumped.
Error message:
Step #3: ERROR: (gcloud.run.deploy) User [REDACTED#cloudbuild.gserviceaccount.com] does not have permission to access namespaces instance [REDACTED] (or it may not exist):
Google Cloud Run Service Agent does not have permission to get access tokens for the service account REDACTED#cloudbuild.gserviceaccount.com.
Please give service-REDACTED#serverless-robot-prod.iam.gserviceaccount.com permission iam.serviceAccounts.getAccessToken on the service account.
Alternatively, if the service account is unspecified or in the same project you are deploying in, ensure that the Service Agent is assigned the Google Cloud Run Service Agent role roles/run.serviceAgent.
Here are the roles assigned to the Cloud Run Service Agent
Default service account has the Cloud Run Admin Role
Here are the accounts to which I've given access to the Default compute service account, the Cloud Build Service Agent and Cloud Run Service Agent are added:

Google cloud project to service account to user roles mapping creation

I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).

Cloud build service account permission to build

I have my env set as Cloud build app (Github app) to provision terraform through cloud build
to Google Cloud Platform. The build is a simple cloud composer with cloud functions, that creates these resources along with the right service accounts and members.
However, only the owner permission can execute this successfully, I want to have least privilege for the cloud build service account. I have used a lot of roles and nothing seems to be successful. i.e. create service account, editor, access context manager admin, access approval approver. When I run the build via github commit, I receive this error other than having the owner set as role
Error: Error applying IAM policy for cloudfunctions cloudfunction
googleapi: Error 403: Permission
Error: Batch "iam-project-redacted modifyIamPolicy" for request
"Create IAM Members roles/composer.worker
serviceAccount:composer-env-account#redacted.iam.gserviceaccount.com
for \"project \\"redacted\\"\"" returned error: Error applying IAM
policy for project "redacted": Error setting IAM policy for project
"redacted": googleapi: Error 403: The caller does not have permission,
forbidden. To debug individual requests, try disabling batching:
https://www.terraform.io/docs/providers/google/guides/provider_reference.html#enable_batching
Is there a IAM policy/role that allows for service accounts to successfully build through cloud build?
With Owner role set to cloudbuild service account, everything build successfully
The Cloud Build service account has assigned by default the Cloud Build Service Account role which has the permissions referred here. Notice that you'll only be limited to perform the following tasks: which include doing the pertinent activities in order to make a build successful (accessing Cloud Source Repository, Cloud Storage and Container Registry).
Along with the Cloud Build Service Account role, you'll need to grant additional roles depending on what else you are doing with Cloud Build.
In the particular case of your error message you'll need to add the Cloud Functions Developer role in order to be able to get full access to Cloud Functions. The whole procedure is documented here.
There are similar roles if you are also deploying to App Engine, or managing Google Kubernetes Engine, etc. Find all the list of available roles here.

Can't create job on GCP Cloud Scheduler

When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.