I want to create my Cloud Build API but I have not the proper permission. I know how to add permissions and am able to add roles to my IAM however the error message leaves me clueless in what permission I actually need or what role holds that permission.
These are my current roles:
Service Account Key Admin
Organization Administrator
Project IAM Admin
Can someone give me the role or permission name so I can look it up?
Following the official IAM documentation on Cloud Build, I think that the role of roles/cloudbuild.builds.editor could serve you well, since it grants full control of Cloud Build resources. Even though you have set the correct IAM permissions, you need to specify an specific role for this API. Please, tell me if this has helped you.
The Editor role seems to contain the needed permission. However it has a lot of excess permissions so it's not the perfect solution
Related
Within an organization of which I am the sole admin, I am unable to enumerate and therefore manage the organizational policies from within the GCP console. Does anyone know why this might be and/or how I'd go about fixing it? Any guidance as to documentation that was perhaps missed during setup, etc. would be appreciated.
Organization Administrator includes the missing permissions resourcemanager.organizations.get along with orgpolicy.constraints.list and orgpolicy.policies.list.
Do note that this role is not automatically granted for being the sole user on the account, this has to be assigned via the IAM menu.
The Owner role does not have these permissions as the Owner is only limited on a Project level.
I've created a custom role in GCP, which I'm using to assign limited access to our business users, enabling them to train the chatbot. At the moment they can perform the functions as needed using the Training module, I would also like to give access to the History module, but I keep hitting an error
IAM permission 'dialogflow.conversations.list' on 'projects' denied.
When I try and add this permission, it's not available. I've noticed the second I make a copy of a standard dialogflow permission group, this object goes missing.
Any suggestions on how I can enable access to this module?
Add Permissions Screenshot
According to Google document, Not all permissions can be used for custom IAM role.
Custom IAM role has a limitation that some permissions are not available.
Below is description about limitation of custom IAM from google document page.
Some predefined roles contain permissions that are not permitted in
custom roles. To check whether you can use a specific permission in a
custom role, see Support level for permissions in custom roles.
Also, I checked whether dialogflow.conversations.list permission is permitted or not. But It didn't even exist.
You can also check it here.
I think you can just grant a dialogflow.conversationManager role to group or users for your situation.
That dialogflow.conversationManager role looks perfect, I'll switch to that.
Many thanks!
Yesterday, I signed up for a Google Cloud Account. Since I want to link the user access with our own identity platform, I followed the instructions from this article:
https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system-with-google-cloud-platform
I got as far as the account is created but in the GCP Console, on several screens, I get errors of missing permissions to view things, let alone change things. Here is an example:
I was the one who created the account and in IAM I am listed as the Organization Administrator. How come I am missing so much permissions? Who within Google Cloud Support is listening/reading this and is able to help me?
This is not a bug that needs to be fixed. As the Owner, you can add any roles that you need to your account. Neither the Owner nor the Organization Administrator have all roles assigned. You can, however, add desired roles to grant your identity more permissions. Consult the documentation for permissions assigned to each role. Then add the required roles to your identity (email address).
However, I recommend that you do not use an account with Owner or Organization Admin roles. Lock that identity in your safe after creating several new identities that use the principles of least privilege and have MFA enabled.
I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.
I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error
You need the storage.objects.list permission to list objects in this
bucket. Ask a project or bucket owner to give you this permission,
then try again.
I'm completely stumped as I'm project owner. Any ideas?
The role roles/owner doesn't grant access to data within buckets.
The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.
On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.
When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.
A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.
In the GCP Console navigate to the IAM Admin menu.
Choose IAM (top menu item)
Select your account.
In the info panel click on Add Role
Add the Storage Object Admin role to your account
Choose Service Accounts menu item from the IAM menu (below Quotas)
Select the compute#developer.gserviceaccount.com or default account.
In the info panel click on Add Member and add your account.
You should now have full access to the Storage Bucket
I remember when I used google storage for speech API, I need to go to IAM console to add "Storage Admin" role to the service account even though I'm the project owner.
I understand that you're not using gsutil. But at this point, maybe give it a try to create the service account and give it the right permission? Hopefully, this will make it work for you.
You can try running this command
gsutil iam ch 'user:myacc#mydoma.in:legacyObjectOwner' gs://mybucket
it's worked for me.
else you can go in I&AM and assign the storage admin role to your account.