Is there a way to define an IAM policy or custom role to allow access to certain cloud storage buckets for a project instead of having to add the user for each individual bucket?
Create a custom role as per your requirement and write a shell script to grant a role to a member.
Example -
#!/bin/bash
members=(member1 member2 member3)
for i in “${members[#]}”
do
gcloud projects add-iam-policy-binding my-project \
--member=user:$i --role=role-id
done
The above script will bind the role to members.
gcloud command -
gcloud group add-iam-policy-binding resource \
--member=member --role=role-id
Group: The gcloud tool group for the resource you want to update. For
example, you can use projects or organizations.
resource: The name of the resource.
Member: An identifier for the member, An identifier for the member,
For example, user:my-user#example.com/.
Related
I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?
To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.
You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.
You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).
I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?
You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the gcloud CLI you can create a custom role with
gcloud iam roles create, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer, for the
project ID example-project-id-1, containing only the permission
storage.buckets.get. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1#example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1 with your project ID, and
test-proj1#example.domain.com with the actual name of the service
account you want to assign the role to.
You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.
permission error for uploading images to google cloud storage, but I already gave proper permissions on IAM
Error: reportai-images#even-shuttle-250512.iam.gserviceaccount.com does not have storage.objects.create access to reportai-images/images.jpeg.
at Gaxios.request (/home/jvcabral/Projects/reportai_image_upload/node_modules/gaxios/build/src/gaxios.js:70:23)
at process._tickCallback (internal/process/next_tick.js:68:7)
IAM Permissions
The IAM member account does not have the permission storage.objects.create on your project.
To list the IAM member roles assigned to a project execute this command. Replace PROJECT_ID with your Project ID which appears to be even-shuttle-250512.
gcloud projects get-iam-policy PROJECT_ID > project_roles.txt
Review the file project_roles.txt for the member and confirm what roles are assigned to the service account:
reportai-images#even-shuttle-250512.iam.gserviceaccount.com
To add a role to the project granting the service account the required permission:
Windows Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID ^
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com ^
--role=roles/storage.admin
Linux/macOS Syntax:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:reportai-images#even-shuttle-250512.iam.gserviceaccount.com \
--role=roles/storage.admin
Note that in the previous command I assigned the role Storage Admin. Pick a role that meets your requirements for least privilege. For example roles/storage.legacyBucketWriter is probably more appropriate.
Cloud IAM roles for Cloud Storage
I want to copy an object from a Google Compute Engine instance to a Google Storage Bucket using gsutil cp. Both belong to the same owner (me) and to the same project. I want to automate the whole machine so authenticating manually is not what I want.
I have activated the necessary permissions to use a service account on a Compute instance (details below) but when I try to gsutil cp a file to the bucket, I get an AccessDeniedException.
The error message complains about missing storage.object.create or storage.object.list permissions depending on if my bucket target path ends in a folder (gs://<bucket>/test/) or file (gs://<bucket>/test.txt).
What I did to get permissions (I have already tried a lot, including creating redundant custom roles which I also assigned to the service account):
Start the instance:
gcloud instances create <instance> [...] \
--service--account <name>#<project>.iam.gserviceaccount.com \
--scopes cloud-platform,storage-full
Give the service account permissions on creation.
Give the service account permissions afterwards as well (just to be safe):
gcloud projects add-iam-policy-binding <project> \
--member serviceAccount:<name>#<project>.iam.gserviceaccount.com \
--role roles/storage.objectAdmin
Edit Storage bucket permissions for the service account:
gsutil iam ch \
serviceAccount:<name>#<project>.iam.gserviceaccount.com:roles/storage.objectAdmin \
gs://<bucket>
Edit Storage bucket access control list (owner permission):
gsutil acl ch -u <name>#<project>.iam.gserviceaccount.com:O gs://<bucket>
At some point enabled bucket-level IAM policies instead of per-object policies (just to be safe).
On the instance, use
gcloud auth activate-service-account --key-file <key>.json to authenticate the account.
However, no matter, what I do, the error does not change and I am not able to write to the bucket. I can, however, read files from the bucket. I also get the same error on a local machine using the service account, so the problem is not related to instances.
As well as ensuring that the service account that you're using has appropriate permissions, you also need to ensure that the instance you're using has the appropriate scopes to access Google Cloud Storage, which they usually don't be default. You can either set the scopes to Allow full access to all Cloud APIs or set them individually if you'd prefer. You can find instructions on how to do so here.
I created a new service account and executed the exact same steps... Now it works.
I wasn't able to add a new member in GCP (IAM) with the role owner using the gcloud command
The below command fails:
gcloud projects add-iam-policy-binding linuxacademy-3 --member user:rohithmn3#gmail.com --role roles/owner
With the below Error/Exception:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
- '#type': type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError
member: user:rohithmn3#gmail.com
role: roles/owner
type: SOLO_MUST_INVITE_OWNERS
But, the same command works well for other roles like: viewer, browser...! It just doesn't work for "owner".
Is there any alternative for this; if yes, How to add this in my Python Code.
Please help me here..!
Regards,
Rohith
You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project, Documentation