Is there any way to enforce the addition of labels while creating resources? If not, is there a way to automatically label resources when creating said resources in GCP?
My use case: I need this to investigate the price in Data Studio.
Thanks.
No, you can't enforce any one to put labels on resources on GCP (same for projects). BUT you can enforce TAG automatically by inheritance. (You can't oblige a user to use them, but, by default there is a tag).
The TAG are still in preview and were named "label next gen" during the Alpha period. So, you can use them like labels, but you can enforce authorization on them (who can up view/update/delete them). This feature is very interesting because today, anyone with admin/owner roles can update/change/delete labels and you lost the control and the monitoring of your resources.
You can also put IAM condition on them and enforce organization policies accordingly.
You can't enforce users to do so. However you can:
Create a log sink if a resource is created
Use that log sink to call a cloud function that will create an alert or give a default label
If you use infrastructure as code for example Terraform, you can put a CI/CD job that will check if a label is placed, and if not reject the PR.
Related
It is my first expirience in Google Cloud Platform and I'm confused.
I've got an access to a resource:
xxx#gmail.com has granted you the following roles for resource resource_name(projects/project_name/datasets/ClientsExport/tables/resource_name) BigQuery Data Editor
But if I open BigQuery Data Editor, I don't see project_name and resource_name. Search by resource_name also returns no result.
Is it only access that I have in the project (I didn't get another accesses and mails).
Could you please help me with this? Maybe should I get some additional access to resource_name will be available? If is there another way to find the resource?
Thank you in advance!
In the message you have access to BigQuery data inside a table. You can query them from your project, you are autorised to access them (and to write also, because you are editor).
However, this table isn't in your project, it's in another project that's why you don't see it directly in the BigQuery console. In addition, you haven't the right to read the metadata (roles/bigquery.metadataViewer) on the dataset of the other project. Eventually, you can't also view the table schema in the console, but the bq CLI allow you to view it.
I had some discussions with Google BigQuery team about that (because I got the same issue in my company), and updates should happen by the end of the year (or soon in 2022) to fix this "view" issue in the console.
It looks like you have IAM permission to access a specific resource in BigQuery but cannot access it from the GUI.
Some reasons you may not see access on your GUI:
You have permission to interact with BigQuery but don't have access to any of the data.
You aren't a member of the organization which provided the resources and they have higher level permissions (on the org level) which prevents sharing of resources outside of the org.
Your access is restricted to the command line/app level. (If your account is a service account then this is likely the case.)
I tried to create new AWS key pairs and the option to create disappeared
Does anyone know why?
It would be worth checking the IAM permissions associated with the User who is trying to create the key pair. Contact the Administrator (presumably you?) and investigate. I would suggest creating a Group with Permissions and adding them to that.
I performed an experiment and added aDeny policy to my IAM User that prevented me from being able to create a keypair.
I then tried to launch an instance and the option to create a keypair (in the dialog box you show above) was still available. So, the display does not vary according to permissions.
Therefore, something else is causing your situation. I would recommend trying it in a different browser. Also, check the underlying HTML to see whether the option is coded on the web page. Something is causing it to disappear.
It seems that there are two different Web UI for AWS Tag Editor (you need an AWS account to try them):
https://resources.console.aws.amazon.com/r/tags
I got this link from AWS Doc
https://eu-west-1.console.aws.amazon.com/resource-groups/tag-editor/find-resources?region=eu-west-1
In Management Console, if you select Resource Group > Tag Editor on the top of the console page, it will take you to this page
The two WebUI behave differently:
The former is global but the latter is region-specific (it will put you into a region even if you don't put the region parameter in the URL)
The former allows you to search for Not tagged in the filter; but the latter does not
The UI are slightly different
Is one of UI a newer version?
Update (2019-05-14)
(Please also see an explanation about the two links being NEW and OLD UIs that AWS offered at a certain point in time) By now the first link is gone. If you visit it, you will get a 404 Not Found error from AWS.
I am part of the team building the new Tag Editor. Yes, you are correct: Classic Tag Editor is deprecated, and will be shut down soon entirely. We are working on full feature parity between the two Editors, so you will very soon find everything you can do in the old one as well in the new one.
To add some more context on your different items below:
1) Both old and new Tag Editor use the same underlying tagging infrastructure, so this should never happen. Maybe there is some browser issue involved here? Feel free to open a support issue so we can look deeper into it, if this continues the case.
2) Yes, the new one also includes Lambda, and will very soon add more resource types. The same by the way for regions: The old Tag Editor supports not all regions, for example eu-north-1 or eu-west-3.
3) No, Route53 Hosted Zones are supported in both Editors. Route53 resources only exists in the us-east-1 region, so maybe you used the Tag Editor in another region?
4) Both Editors show the same data. The old editor merged what you used as Name Tag and the ID in the same field - in the new one, you see only the ID in the column ID, and the Name Tag is displayed in the column Tag: Name.
Searching across regions is something the new Editor soon will support, too, and the same applies for the filter you mention. For showing resources without a specific tag, there is a workaround you already can do: Click on the settings icon in the top right of the table, and enable the tag you are interested in as a column. You then can sort this column so that all untagged ones show up on top.
If you have any other ideas or requests for the Tag Editor, please let us know. The fastest and most reliable way is to just use the 'Feedback' Button in the console in the bottom left.
Cheers,
Florian
Hi I am providing my own answer here (thanks my colleagues Kannan for the insight)
#1 above is what AWS called Class Tag Editor. If you click on the Question mark on the Web UI (upper right corner), you will be taken to a page that says:
This documentation is for classic Tag Editor, which has been
deprecated
So #2 is the version that AWS want us to use.
Below I will called #1 Old and #2 New
I compared the example outputs from our environment (about 50 resources). The two outputs differ in these respects:
New seems to retain past resources for a longer time. For example, if an EC2 instance has been terminated, it may take a
longer time to be removed from the listing of New
New seems to include resources for DynamoDB but Old does not
Old seems to include resources for Route 53 Hosted Zones but New does not.
Both New and Old show Security Groups, but the ID strings are rendered slightly differently.
New renders an ID as sg-xxxxxxxxxxxxxxxxxxxxxx
Old renders an ID as someName (sg-xxxxxxxxxxxxxxxxx)
I wish to keep instance type / VPC etc private for users using my cloudformation script. Does anyone know of a way to hide these parameters during the stack creation wizard?
I know echo keeps the values private, but is there a way for it all to not be displayed on screen.
Ideally it would ask for Stack name and the rest of the page would be blank.
For sensitive parameter values (such as passwords), set the NoEcho property to true. That way, whenever anyone describes your stack, the parameter value is shown as asterisks (*****).
Although in your case, this cannot prevent the user of checking the instance type inside their respective tabs. Probably is a better idea to restrict the access of users to confidential information using IAM policies.
You can use cloud formation macro do such thing, Macro will help you to transform your template at runtime.
https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/services/CloudFormation/MacrosExamples/Public-and-Private-Subnet-per-AZ
I am trying to create a role within Sitecore which can publish content, but only within a specific area(s) of the site. I've added the standard Sitecore\Client Publishing role to my role, but I can't see how to prevent the role from being able to publish all areas of the site. I've looked at the Security editor and the Access viewer, but setting the write access of the sections only seems to affect the ability to edit those sections and has no effect on the ability to publish on those sections.
Workflow is the typical way this is handled. Giving roles access to approve (this could be called 'publish') content of certain sections of the content tree will be the best way to achieve what you are describing. Combine this with an auto-publish action to make it more user friendly.
One thing to keep in mind though using this method is referenced items (images from media library the content may be using for example). Take a look at the 'Publishing Spider' module on the shared source library http://trac.sitecore.net/PublishingSpider
EDIT: Update
I recently discovered this setting in the web.config: "Publishing.CheckSecurity". If set to true, this setting will only publish items if the user has read + write on the item and will only remove items from the web DB if the user has delete permissions.
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section.
You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
Answer to this is to set Publishing.CheckSecurity to true
You need to find this code inside web
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="false" />
Set the value="true"
But again you have to govern the security tightly, and assign user role properly. Failed to
do so you will experience buggy publishing.
Hope that will help