How to create API Keys in GCP using service accont - google-cloud-platform

I have a service account with Owner permissions on the project (Just for testing this out)
Still I am not able to create API Keys using that service account via gcloud. It says "Permission Denied"
I am using the following commands.
1.
gcloud auth activate-service-account <Service-account>#<project-id>.iam.gserviceaccount.com --key-file=<key-file>.json
2.
gcloud auth list //Gives the service account name
3.
gcloud alpha services api-keys create --display-name=dummy
The above command works if I authenticate as a normal user with Owner permission but with service account it doesn't seems to work. Am I missing something ? Please help.

The APIKEY Api has a strange history. Relesed in Beta about 1 years ago, and now go back to Alpha. There is no public documentation (in reality it has been removed) and if you know this API, you have found it on SO or on old tutorial.
Anyway, just to say that it's not a reliable API and if you want to automate stuff on it (with call with a service account) it's not a good idea. In addition, sometime, APIs don't allow service account call but require user credentials. It was the case previously with the quota APIs, but it has been updated recently (this summer 2020).
Eventually, Google Cloud don't recommend to use APIKEY for security reason (we can discuss this more if you want). And thus, I don't think it is in its (security and best practice) strategy to promote an API that allows APIKEY automation.

Related

How to resolve GCloud permissions?

I am trying to publish my Android app to our company's Play Store.
On Google API access page
I am trying to create new service account. It does not work.
You are missing at least one of the following required permissions:
Project
orgpolicy.policy.get resourcemanager.projects.get Check that the
folder, organization, and project IDs are valid and you have
permissions to access them
My GCP shows myname#github.com google account.
On the other side,Google API(Google Play Console) shows MYCOMPNAY Team account.
How to solve this IAM problem?
I'll do my best to answer but the question lacks some detail.
As the error describes, service accounts are a distinct type of credential used by Google that are intended to be used by software (rather than humans) for interacting with Google services. It makes some sense (though I'm unfamiliar with the Play process) that you'd need to use service accounts rather than human accounts with this service.
Unlike, regular (human) accounts (e.g. yourname#github.com), service accounts are owned by Google projects. When you create a service account, you'll need to scope the account to an existing Google project.
Google provides various Consoles for different services. I'm most familiar with Google Cloud Platform (GCP) and so I would create projects and service accounts using GCP's CLI (Cloud SDK aka gcloud) or https://console.cloud.google.com. Are you using something similar?
Unfortunately, I think, Google's tools scope projects (even though these are universal Google resources) to specific platforms (Cloud, Firebase, Apps etc.) and so you may not be able to see all your projects via the e.g. Cloud Console.
So....
If you have a Play (!?) Console, there should be a mechanism to list|create projects. If you haven't already, created a project to own your service account. Then the tool should provide a mechanism to create a service account. Do so under that projects. Lastly, you'll need to grant the service account permissions so that it can do what you need it to do (e.g. publish your app).
If you add more details to your question, I may be able to help.
NOTE One distinction between human (e.g. yourname#github.com as a Google account) and a service account is that human accounts using 3-legged OAuth while service accounts use 2-legged OAuth. This is because the service account is not able to interact with OAuth prompts as a human user would and it is often a good "tell" when you need to use a human vs. a service account.
See:
Google Play: (API) Projects and Service Accounts
Understanding Service Accounts
Using OAuth for Server-to-Server apps

GCP Pub/Sub default service account is not getting created when enabling the API

We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!

AWS Federated User - multiple aws accounts?

I'm not sure wether or not this is possible. We have a couple of different Amazon Web Service Accounts, in this case let us just call them:
Test environment 1
Test environment 2
Production environment
I really want to manage as much as possible with our google accounts. Let us say, as a developer i have access to all three accounts in AWS, and i want to be able to access all these accounts with this one mail. (is this even possible?).
I have tried following this guide: https://wheniwork.engineering/how-to-setup-google-sso-and-aws-4496f054a707
The saml login with google works just fine, but im not really sure how i can change accounts while logged in?
I would love for it to show all organizations that i have access to, and change between them
What you are looking for is already provided by the AWS and it's called 'AWS Landing Zone'
Using Landing Zone, you can spin up multiple AWS accounts, and log in using one credential (Ex: your existing AD credentials)
SSO
Accounts
If you are new to this, I suggest looking at this AWS Tutorial to get an idea about it.

Creating a new project in Google Cloud using python without service account credentials

I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations

gcloud ml language Request had insufficient authentication scopes

For a relatively small academic research project, I am trying to use Google Cloud Natural Language API.
From what I understood on the Authentication Overview, it looks like an API key would be the best and simplest approach to authentication, rather than a service account or user account.
Creating the key was easy enough. But now I am stuck on how to actually use it in conjunction with gcloud commands on an Ubuntu VM instance on Google cloud compute engine.
When I try to run the simple example on the Natural Language Quickstart Guide, I get this error:
gcloud ml language analyze-entities --content="Michelangelo Caravaggio, Italian painter, is known for 'The Calling of Saint Matthew'."
ERROR: (gcloud.ml.language.analyze-entities) PERMISSION_DENIED:
Request had insufficient authentication scopes.
The documentation and Q&A I've seen related to this error are related to service accounts or user accounts, but I am trying to just use the "simple" API key.
The documentation for Using an API key shows how to do so via REST. But, for now as a "quick" test to see if I have the Natural Language API working, I want to just do a simple test with gcloud on the command line. I looked through the gcloud documentation, but could not find anything about specifying an API key string.
How can I run the above command with gcloud and authenticate with my API key?
If this API key turns out to be more of a hassle, I may consider switching to a service account.
Any help would be greatly appreciated...
Got this to work by:
From Google Cloud console:
Compute Engine -> VM instances
Click name of existing VM, which brings up VM instance details page. Click "Edit" link near the top of the page.
Then modify Cloud API access scopes to allow full access to all Cloud APIs.
If you are using a GCE VM the easiest way to authenticate to the Cloud APIs is to use the VM's service account. When you create the VM you can specify what scopes to authorize for the service account. The simplest solution is to provision a VM with Cloud Platform scope. Using gcloud
gcloud --project=$PROJECT compute instances create $VM --zone=$ZONE --machine-type=$MACHINE --scopes=cloud-platform