I would like to use a service account and give it storage.objects.create and storage.objects.delete (basically, so when I use this account, I can upload, re-upload, and delete, but NOT list or read a bucket).
I see pre-configured storage roles, e.g. 'Storage Object Creator', which has the create aspect (and works for create, but can't overwrite or delete).
I assume I need to create a Role. I seemed to be able to do that, but then could not seem to find that 'Custom Role' when trying to add a role to the service account.
So I guess I'm asking 'how do i add a custom role to a service account'?
I was doing all of this through the web ui.
Any help appreciated.
br, Simon
I tested and it works. You can find it in the custom section
Related
I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.
When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.
Ok, this is making me pull my hair out I can't believe it's so complex...
So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)
I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"
How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list is not it.
Quick answer:
You need a custom role with:
storage.buckets.list
Rant answer:
Finally found the complete permissions reference.
https://cloud.google.com/storage/docs/access-control/iam-permissions
Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.
As of January 2021, to give a user access to the cloud storage console and access to a particular bucket, let's say to view or upload files:
Create a custom role in Cloud IAM
This custom role needs resourcemanager.projects.get and storage.buckets.list permissions.
The first permission allows the user to actually select the relevant project.
The second permission allows the user to list all the buckets in your account. Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure.
Create an IAM user
Go into Cloud IAM .
Add an IAM user assign them the new role you created in Step 1.
Assign Permissions on the Bucket Resource.
Go into the bucket you want to provide access to.
Go into the permissions pane.
Assign permission(s) to the IAM user you created in step 2. Assign a Storage role that makes sense for your situation (i.e. Storage Admin if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer for read only access).
You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.
My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin role.
I want my service account to be able to create files and folders in my bucket but disallow any read/list/download for objects in that bucket. I am not able to figure out what permissions to set for my bucket/service-account. Any ideas on this?
You can have a look at the general Identity and Access Management (IAM) page for Google Cloud Storage. From that, you can either use one of the predefined Cloud Storage roles, or create a custom role with the specific IAM permissions that you need. Let's follow both approaches:
Standard Cloud Storage IAM Roles: in this page you can find the complete list of available IAM Roles. Given the use case you present, you should consider using roles/storage.objectCreator role, as it only grants storage.objects.create permissions, and you cannot view or list objects.
Custom IAM Roles: you can follow this guide to create a custom IAM Role, and the define the specific permissions that you want to grant to your bucket. In this other page you can see a list of all the available permissions. You should use storage.objects.create, but you may be interested in adding also a different permission such as storage.objects.delete in order for the Service Account to be able to overwrite content (which cannot be done with the roles/storage.objectCreator role, as it does not have delete permissions).
So in general, and applying your specific use case, you could say that you can use the roles/storage.objectCreator standard role. However, you must take into account that using it, you will not be able to override content, as for that purpose, you will need the storage.objects.delete permission too. In that case, you can create a custom role.
I am trying to give temporary access to AWS console for a few users (for a limited time), and they should not be able to view any resources created by the other users. These are the possible methods I could find:
Creating an IAM user for each user and assigning IAM policies: This is a straightforward process, but would it be possible to define the policy in such a way that every user is completely isolated from each other? The user should be able to create any resource, but view and manage only his resource. After use, the IAM user can be deleted to revoke access for the user to the AWS console.
Creating an AWS account under the root account Organization: This would guarantee isolation, but deleting a managed AWS account is not straightforward and hence this method does not seem viable.
Can anyone help me with a possible solution?
Edit: I am trying to dynamically create accounts/users on demand. (Thanks for pointing it out #JamesKn)
I would get them each to sign up for AWS and then run consolidated billing http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html
That way they would be completely isolated but you would get one bill.