I am trying to remove a certain permission on google cloud functions using a for loop in gitlab ci.
for i in ${!CFS[#]}; do
gcloud functions remove-iam-policy-binding ${API_VERSION}-${CFS[$i]} --member=${MEMBER} --role=${ROLE}
done
The issue is that if the resource does not have the given role, for the member I am getting an error.
ERROR: (gcloud.functions.remove-iam-policy-binding) Policy binding with the specified member and role not found!.
I want to avoid this situation by checking if the member has the given role on the resource before executing the remove-iam-policy-binding gcloud command. Is there a way to check if a permission exists for a member on a given resource before removing it?
I was able to achieve this using the gcloud functions get-iam-policy and filtering the permission and role I wanted. If the role is set for the given user then I remove it.
for mem in $(gcloud functions get-iam-policy ${CFS[$i]} --flatten="bindings[].members" --filter="bindings.role:roles/cloudfunctions.invoker" --format="value(bindings.members)")
do
echo $mem
gcloud functions remove-iam-policy-binding ${CFS[$i]} --member=$mem --role="roles/cloudfunctions.invoker"
done
Related
I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?
To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.
You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.
You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).
Is there a way to define an IAM policy or custom role to allow access to certain cloud storage buckets for a project instead of having to add the user for each individual bucket?
Create a custom role as per your requirement and write a shell script to grant a role to a member.
Example -
#!/bin/bash
members=(member1 member2 member3)
for i in “${members[#]}”
do
gcloud projects add-iam-policy-binding my-project \
--member=user:$i --role=role-id
done
The above script will bind the role to members.
gcloud command -
gcloud group add-iam-policy-binding resource \
--member=member --role=role-id
Group: The gcloud tool group for the resource you want to update. For
example, you can use projects or organizations.
resource: The name of the resource.
Member: An identifier for the member, An identifier for the member,
For example, user:my-user#example.com/.
I want to grant a service account access to a secret in Google Secrets Manager.
I can access the secret like this:
gcloud beta secrets versions access 1 --secret="thesecret" --project="myproject"
But when my service account tries the same command, gcloud emits this error:
ERROR: (gcloud.beta.secrets.versions.access) PERMISSION_DENIED: Request had insufficient authentication scopes.
The main question is: What else do I need to do to ensure that the service account can access the secret?
I have granted that service account "roles/secretmanager.secretAccessor" in Terraform like this:
resource google_project_iam_binding the-binding {
project = myproject
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com",
]
}
And I can verify that it has that role both in the gcp console and like this:
gcloud projects get-iam-policy myproject \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:theserviceaccount#someotherproject.iam.gserviceaccount.com"
ROLE
roles/secretmanager.secretAccessor
But there's this concept from the docs:
If a member only needs to access a single secret's value, don't grant that member the ability to access all secrets. For example, you can grant a service account the Secret Accessor role (roles/secretmanager.secretAccessor) on a single secret.
So it's like an iam-policy-binding can have an affinity to a particular secret, but I'm not sure which gcloud commands or terraform resources I can use to create such an affinity.
The first problem is that I was mistaken about which service account my environment was configured to use. So I had granted access to the service account, but I wasn't using it after all (apparently they're initialized inconsistently in my case). I fixed that by running this command before trying to access the secret:
gcloud config set account theserviceaccount#someotherproject.iam.gserviceaccount.com
Also, I didn't realize that there were more than one toplevel gcloud command that let you modify iam policy bindings. I had been exploring gcloud iam ... when what I needed was:
gcloud beta secrets add-iam-policy-binding projects/myproject/secrets/mysecret --member serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com --role roles/secretmanager.secretAccessor
I have created a ServiceAccount and a custom role from the GCP console.
However when trying to associate them, it fails as below:
gcloud projects add-iam-policy-binding my-project \
--member serviceAccount:cloudrun-poc#my-project.iam.gserviceaccount.com \
--role roles/MyCustomRole
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/ClusterUpscaler is not supported for this resource.
any ideas why?
You might have to create role MyCustomRole before attempting to assign it. No clue what it complains about role ClusterUpscaler, but there might not be a cluster present in that project... besides custom roles usually have names alike projects/{project-id}/roles/{role-name}. They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
You could run gcloud alpha iam policies lint-condition as the output suggests. For me, it was a missing gcloud command "Alpha".
I wasn't able to add a new member in GCP (IAM) with the role owner using the gcloud command
The below command fails:
gcloud projects add-iam-policy-binding linuxacademy-3 --member user:rohithmn3#gmail.com --role roles/owner
With the below Error/Exception:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
- '#type': type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError
member: user:rohithmn3#gmail.com
role: roles/owner
type: SOLO_MUST_INVITE_OWNERS
But, the same command works well for other roles like: viewer, browser...! It just doesn't work for "owner".
Is there any alternative for this; if yes, How to add this in my Python Code.
Please help me here..!
Regards,
Rohith
You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project, Documentation