Permissions denied for Google Cloud Scheduler - google-cloud-platform

I am trying to create a Cloud Scheduler but when I click on Cloud Scheduler, I receive the error: There was an error while loading /cloudscheduler?folder=&organizationId=&project=my+project. You are missing at least one of the following required permissions:Project cloudscheduler.jobs.list
When I check the permissions for the same project in my service account I see I have been granted all Cloud Scheduler permissions. Attached is the screenshot.

The message indicates that the identity that you are using to access Cloud Scheduler does not have the required permission.
I recommend double-checking which identities you are using.
If you are using the Google Cloud Console, there is a person icon located at the top right of your browser. That will tell you the identity that you are using.
The console is basically the user interface that appears after logging from here.
So yes, when you click the hamburger menu, you are in the GCP console.

Related

Twitter callback not working with Cloud Run

I'm trying to create a website to make F1 predictions with flask
We started developing in Heroku, and the twitter API is already configured, you can check
https://demoflaskdance.herokuapp.com/
But now we are moving to Cloud Run as Heroku does not support pyodbc. We deployed our project, with the same code, and added to apps.twitter.com the urls, but when trying to log in with the link that google provided https://demo-flask-dance-kjomqyaifq-ew.a.run.app
we get an error and says that the URL is not authorized
Any help? Thanks
If your Cloud Run application does not require authenticated access, enable public access.
Go to the Google Cloud Console.
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Allowing public (unauthenticated) access
If you require authenticated access see this document:
Authentication overview

How to give user access to GCP jupyterlab via "OPEN JUPYTERLAB" link in AI Platform console

... without giving access to everything in project with Roles like Editor.
Apparently giving access to Notebooks Admin is not sufficient. User gets 403 error.
Turns out that authentication for the notebook proxy that is automatically set up by google requires that user has access to use the default compute service account. So, apart from giving proper role like Notebooks Admin. You need to:
Locate the default compute service account for your project
Give user in question access to Role "Use Service Account" on the service account permissions tab.

How to programatically add Roles to cloud build service account?

I am trying to use setIAMPolicy for Cloud Build Service account #cloudbuild.gserviceaccount.com. I want to provide AppEngine Admin, Cloud Run Admin permissions to the Cloud Build Service member so that it can do automated releases on AppEngine.
Somehow it throws 404 when I pass resource of Cloud Build Service account while getting IAM Policy. To confirm, I tried GET https://iam.googleapis.com/v1/{name=projects/*}/serviceAccounts in API Explorer and it also does not return the Google Managed Service accounts. It seems it only returns the service accounts which are created and not the Google Managed default accounts.
How can I set IAM Policy to grant these permissions to Cloud Build?
The general idea is to enable these permissions for both App Engine and Cloud Run.
Also, a common problem is not knowing that cron permissions are needed for App Engine and Cloud build. For example, this article mentions "Update cron schedules" as "No" for "App Engine Admin". Whether you need that or not depends on how your builds are done. If you end-up needing that too, use permission "Cloud Scheduler Admin" on your #cloudbuild.gserviceaccount.com. You can apply the same logic to other permissions and that chart might be useful for knowing what is needed depending on your setup.

Google Cloud Build - View logs permissions

I am the owner of a project and want to give Permissions to another user to view Logs of Google Cloud Build, but I can not figure out which Role / Permission this user needs.
Roles I've unsuccessfully tried are:
Cloud Build Editor,
Cloud Build Viewer,
Stackdriver Debugger Agent,
Stackdriver Debugger User,
Cloud Trace Admin,
Logging Admin,
Private Logs Viewer,
Logs Viewer,
Monitoring Admin
Google Cloud enterprise support confirmed to me that the only role that currently grants this is the project-level Viewer permission (or Editor/Owner).
One workaround is to set the --gcs-log-dir flag when submitting a build to a bucket you control (rather than the default Google-managed gs://[PROJECT_NUMBER].cloudbuild-logs.googleusercontent.com/ bucket).
They're tracking making a more granular permission in this feature request: https://issuetracker.google.com/issues/134928412, which you can subscribe to updates on.
If you add the project viewer role then this will resolve the issue. But, it seems like this is an issue (or maybe a feature request - to add the necessary permission to the Logs Viewer so that logs outside of the Stackdriver logging page can be viewed in other UIs as well), looking at the documentation it says "roles/viewer (Project Viewer) gives members the same permissions as roles/logging.viewer at the project level. " which means that by just assigning the Logs Viewer then it should have given the user the necessary permission to view the logs at the Cloud Build UI.

Cloud Data Fusion storagebucketslist permission issue

I just installed Cloud Data Fusion, and get this error when I try to explore the “Cloud Storage Default” bucket. How do I fix this?
cloud-datafusion-management-sa#xxxxxxxxxxxx-tp.iam.gserviceaccount.com does not have storage.buckets.list access to project xxxxxxxxxxxxx
Data Fusion Beta requires an additional step after creating an instance to grant its service account permissions on the project where it is created. This step is required only once per project.
To grant these permissions, follow these steps:
Visit the Google Cloud Console
Navigate to the instance detail page by clicking on the instance name
Copy the service account
Navigate to the IAM Page of your project.
On the IAM Permissions page, grant the service account the Cloud Data Fusion Service Agent role, by clicking the Add button.
Once these steps are done, you can start using Cloud Data Fusion by clicking the View Instance link on the Cloud Data Fusion instances page, or the details page of an instance.
For more details, please refer to the Cloud Data Fusion reference documentation on permissions.