I've created a custom role in GCP, which I'm using to assign limited access to our business users, enabling them to train the chatbot. At the moment they can perform the functions as needed using the Training module, I would also like to give access to the History module, but I keep hitting an error
IAM permission 'dialogflow.conversations.list' on 'projects' denied.
When I try and add this permission, it's not available. I've noticed the second I make a copy of a standard dialogflow permission group, this object goes missing.
Any suggestions on how I can enable access to this module?
Add Permissions Screenshot
According to Google document, Not all permissions can be used for custom IAM role.
Custom IAM role has a limitation that some permissions are not available.
Below is description about limitation of custom IAM from google document page.
Some predefined roles contain permissions that are not permitted in
custom roles. To check whether you can use a specific permission in a
custom role, see Support level for permissions in custom roles.
Also, I checked whether dialogflow.conversations.list permission is permitted or not. But It didn't even exist.
You can also check it here.
I think you can just grant a dialogflow.conversationManager role to group or users for your situation.
That dialogflow.conversationManager role looks perfect, I'll switch to that.
Many thanks!
Related
I want to create my Cloud Build API but I have not the proper permission. I know how to add permissions and am able to add roles to my IAM however the error message leaves me clueless in what permission I actually need or what role holds that permission.
These are my current roles:
Service Account Key Admin
Organization Administrator
Project IAM Admin
Can someone give me the role or permission name so I can look it up?
Following the official IAM documentation on Cloud Build, I think that the role of roles/cloudbuild.builds.editor could serve you well, since it grants full control of Cloud Build resources. Even though you have set the correct IAM permissions, you need to specify an specific role for this API. Please, tell me if this has helped you.
The Editor role seems to contain the needed permission. However it has a lot of excess permissions so it's not the perfect solution
I have an IAM role with AdministratorAccess, but when I upload a custom template to AWS CloudFormation, I get the following error:
Operation failed, ComputeEnvironment went INVALID with error:
CLIENT_ERROR - You are not authorized to call EC2 Describe operations.
It is required to perform CreateLaunchConfiguration operation.
All the other resources seem to complete successfully, so I'm not sure if there is some sort of role delegation taking place?
It is possible that you are affected by Service Control Policies (SCPs) or by Permission Boundaries or even other policy types.
Identity-based policies
Resource-based policies
Permissions boundaries
Organization SCPs
Access control lists
Session policies
Regarding SCPs:
An SCP restricts permissions for IAM users and roles in member
accounts, including the member account's root user. Any account has
only those permissions permitted by every parent above it. If a
permission is blocked at any level above the account, either
implicitly (by not being included in an Allow policy statement) or
explicitly (by being included in a Deny policy statement), a user or
role in the affected account can't use that permission, even if the
account administrator attaches the AdministratorAccess IAM policy with
/ permissions to the user.
Also see How to use service control policies to set permission guardrails across accounts in your AWS Organization
As this article states,
The member accounts of an AWS Organization are unable to see the SCPs
that have been applied to them. Further, when actions are denied,
there is no way to know whether that is due to an IAM policy, an SCP,
or something else (ex. session policy, IAM boundary, resource policy).
This means there will be no indication in the error message from an
API call or in the CloudTrail log to show what denied the call. This
can make debugging issues difficult.
This article has some useful diagrams that show the different things that could be affecting/limiting the access.
I've been working on this problem for four days and finally came up with a solution that I think resolves it.
There are two kinds of CDK bootstrap: legacy and modern. Legacy is the default.
There appears to be a bug in the legacy bootstrap that affects some accounts and not others. I was able to verify that the same code worked for me on one account but produced the exact symptoms of this problem on a newly created account.
If you are not stuck with legacy bootstrap for some reason, just convert over to modern bootstrap. That should make the error (and the reason for the error) go away.
The instructions are here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html
Basically, you have to set an environment variable before you call cdk bootstrap, and then you have to change either some code or some configuration in your project.
It is not intuitive that this feature exists in the CDK at all, nor that it would be the fix for this particular problem. However, it cleared it up for me. Maybe it will do the same for others.
I want my service account to be able to create files and folders in my bucket but disallow any read/list/download for objects in that bucket. I am not able to figure out what permissions to set for my bucket/service-account. Any ideas on this?
You can have a look at the general Identity and Access Management (IAM) page for Google Cloud Storage. From that, you can either use one of the predefined Cloud Storage roles, or create a custom role with the specific IAM permissions that you need. Let's follow both approaches:
Standard Cloud Storage IAM Roles: in this page you can find the complete list of available IAM Roles. Given the use case you present, you should consider using roles/storage.objectCreator role, as it only grants storage.objects.create permissions, and you cannot view or list objects.
Custom IAM Roles: you can follow this guide to create a custom IAM Role, and the define the specific permissions that you want to grant to your bucket. In this other page you can see a list of all the available permissions. You should use storage.objects.create, but you may be interested in adding also a different permission such as storage.objects.delete in order for the Service Account to be able to overwrite content (which cannot be done with the roles/storage.objectCreator role, as it does not have delete permissions).
So in general, and applying your specific use case, you could say that you can use the roles/storage.objectCreator standard role. However, you must take into account that using it, you will not be able to override content, as for that purpose, you will need the storage.objects.delete permission too. In that case, you can create a custom role.
How can I set this permission for a user? I only see a relevant Storage > Storage admin which provides storage.buckets.*, however I don't want this user account to have such broad permissions.
I have determined the above information from this page: https://cloud.google.com/storage/docs/access-control/iam-roles
I would like a user to have read only permissions to a bucket.
You can use ACLs over objects and buckets. You can give ”READER” permission for a particular user on bucket level. By giving this, the user can only read and download the object’s data.
A second approach is to give the user a Legacy Bucket IAM roles. You can give “Storage Legacy Bucket Reader ” role, which also gives the user ‘read only’ option. More details regarding this role can be found in this help center article.
Google has IAM Custom Roles in beta. You can use this to create a new role with the exact permission set you want.
My intention is simple- to create a role that I can assign to a standard user of my AWS account so that they can read/write to one of my S3 buckets.
I've created a policy to apply to the role and I'm happy with that bit.
The thing I'm a bit confused about is the "Select Role type" screen in the management console (see attached image). I can't work out what I'm supposed to choose at this stage as none of the descriptions seem to apply to the simple thing I'm trying to achieve.
Does anyone have any idea?
I think you are on the wrong path here. Roles are not ACLs for users, but for systems and services.
See: IAM Roles
If you want to grant a user access to some AWS resources you should have a look at the policy section. Either use a pre-build (like AmazonS3ReadOnlyAccess or AmazonS3FullAccess) or define a policy on your own.
You can then assign this policy to a user. If you want to manage multiple users this way, you can also use groups to assign policies to users.