I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?
To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.
You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.
You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
I want to grant a service account access to a secret in Google Secrets Manager.
I can access the secret like this:
gcloud beta secrets versions access 1 --secret="thesecret" --project="myproject"
But when my service account tries the same command, gcloud emits this error:
ERROR: (gcloud.beta.secrets.versions.access) PERMISSION_DENIED: Request had insufficient authentication scopes.
The main question is: What else do I need to do to ensure that the service account can access the secret?
I have granted that service account "roles/secretmanager.secretAccessor" in Terraform like this:
resource google_project_iam_binding the-binding {
project = myproject
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com",
]
}
And I can verify that it has that role both in the gcp console and like this:
gcloud projects get-iam-policy myproject \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:theserviceaccount#someotherproject.iam.gserviceaccount.com"
ROLE
roles/secretmanager.secretAccessor
But there's this concept from the docs:
If a member only needs to access a single secret's value, don't grant that member the ability to access all secrets. For example, you can grant a service account the Secret Accessor role (roles/secretmanager.secretAccessor) on a single secret.
So it's like an iam-policy-binding can have an affinity to a particular secret, but I'm not sure which gcloud commands or terraform resources I can use to create such an affinity.
The first problem is that I was mistaken about which service account my environment was configured to use. So I had granted access to the service account, but I wasn't using it after all (apparently they're initialized inconsistently in my case). I fixed that by running this command before trying to access the secret:
gcloud config set account theserviceaccount#someotherproject.iam.gserviceaccount.com
Also, I didn't realize that there were more than one toplevel gcloud command that let you modify iam policy bindings. I had been exploring gcloud iam ... when what I needed was:
gcloud beta secrets add-iam-policy-binding projects/myproject/secrets/mysecret --member serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com --role roles/secretmanager.secretAccessor
The super admin (in my case, root#my-domain.com) assigned on the admin portal is supposed to receive full GCP privileges without further assignments in IAM, unless the understanding above is incorrect.
From the GCP IAM, however, when creating a new folder, it says "you do not have permission to create folders in this location".
Is there something else I need to do with super admin user in order to give it full privileges? Thank you for the help!
If you want this user to have rights at the Organization level, you must grant them either in the Google Cloud Console, CLI or API. These permissions (roles) are not granted by default. I am assuming that you want rights for the organization and for all folder levels.
Example CLI Command:
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member [USER_EMAIL] --role roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member [USER_EMAIL] --role roles/resourcemanager.folderAdmin
To get the ORGANIZATION_ID, look in the Google Cloud Console or via the CLI:
gcloud organizations list
More Information:
gcloud organizations add-iam-policy-binding
Access Control for Organizations
Access Control for Folders
I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?
You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the gcloud CLI you can create a custom role with
gcloud iam roles create, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer, for the
project ID example-project-id-1, containing only the permission
storage.buckets.get. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1#example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1 with your project ID, and
test-proj1#example.domain.com with the actual name of the service
account you want to assign the role to.
You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.
permission error for uploading images to google cloud storage, but I already gave proper permissions on IAM
Error: reportai-images#even-shuttle-250512.iam.gserviceaccount.com does not have storage.objects.create access to reportai-images/images.jpeg.
at Gaxios.request (/home/jvcabral/Projects/reportai_image_upload/node_modules/gaxios/build/src/gaxios.js:70:23)
at process._tickCallback (internal/process/next_tick.js:68:7)
IAM Permissions
The IAM member account does not have the permission storage.objects.create on your project.
To list the IAM member roles assigned to a project execute this command. Replace PROJECT_ID with your Project ID which appears to be even-shuttle-250512.
gcloud projects get-iam-policy PROJECT_ID > project_roles.txt
Review the file project_roles.txt for the member and confirm what roles are assigned to the service account:
reportai-images#even-shuttle-250512.iam.gserviceaccount.com
To add a role to the project granting the service account the required permission:
Windows Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID ^
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com ^
--role=roles/storage.admin
Linux/macOS Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com \
--role=roles/storage.admin
Note that in the previous command I assigned the role Storage Admin. Pick a role that meets your requirements for least privilege. For example roles/storage.legacyBucketWriter is probably more appropriate.
Cloud IAM roles for Cloud Storage