Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
Related
This is frustrating because impersonation of a service account is much less flexible than AWS.
I want users of a Gsuite group to be able to impersonate ALL service accounts in a specific google project or project folder
But I'm only seeing example where you assign the serviceAccountTokenCreator role directly to the specific service account.
This is a pain to manage. If I have X number of service accounts in my dev gcp project I want to be able to just say "users in group X can impersonate all service accounts in project Y". Is this at all possible? Or do I need to create a binding for EVERY service account with a list of groups/users that can impersonate it.
To allow a member to impersonate all service accounts created in a project, folder, or organization, grant the necessary role on the project, folder, or organization.
Reference: https://cloud.google.com/iam/docs/impersonating-service-accounts#impersonate-parent-level
When I am using the following code:
cf create-org (ORG_name)
I am getting an error:
You are not authorized to perform the requested action
In many distributions of Cloud Foundry, an org represents an entire company or account so you likely won't be able to create another org without signing up for another account. (See MindSphere documentation)
Orgs and spaces are used to control user permissions and organize resources such as apps and services. Unless you are trying to create a space that you don't want your org manager to see, you might just create a new space instead.
Actually I have used to push my application to mindsphere, but it was not done because i used normal user account. It need developer account to push the account.
If this is a Developer tenant, then you will already have an org for the tenant, which has the same name as the tenant. You can't create another org. By default, only the tenant owner is in the OrgManager role which can access the org.
Either:
Get the tenant owner to add you to the OrgManager role
Use MindSphere Settings to create Service Credentials for Cloud Foundry. This will allow you to login to cf using those credentials, access the cf org and add your real user to the org
I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).
I need a service account that can access multiple projects, but I have not been able to find a way to do this at all. It seems that a service account is always bound to a project.
Another option is to create a service account on the separate projects and then authenticate them using gcloud auth activate-service-account --key-file SOME_FILE.json, but the problem here is that it does not seem possible to automate the creation of service accounts.
So the question is then: Is it possible to create a cross project service account or to automate the creation of a service accounts? Even better would be if I could do both
You should be able to add a service account to another project:
Create the first service account in project A in the Cloud Console. Activate it using gcloud auth activate-service-account.
In the Cloud Console, navigate to project B. Find the "IAM & admin" > "IAM" page. Click the "Add" button. In the "New members" field paste the name of the service account (it should look like a strange email address) and give it the appropriate role.
Run gcloud commands with --project set to project B. They should succeed (I just manually verified that this will work).
Automatic creation of service accounts is something that we're hesitant to do until we can work through all of the security ramifications.
I know its a bit old, but if anyone is still looking for this,To add to #Zachary Newman answer, To make things clear, After you created a service account in project A you should go to project B to "IAM" (not "Service Accounts"), There you will be able to add the email you just created with proper roles.
I have confirmed that custom token signing worked with #Zachary Newman's procedure.
My concrete procedure of how I created a custom token in a GAE app in project A which can be used to connect to Firestore of project B is as follows:
In "IAM" page of project B, add service account {project-a}#appspot.gserviceaccount.com which is a GAE default service account of project A.
In "IAM" page of project B, assign "Service Account Token Creator" role to {project-a}#appspot.gserviceaccount.com.
Call the Firebase Admin SDK initializeApp method in a GAE app in project A with specifying firebase-adminsdk-xxxxx#{project-b}.iam.gserviceaccount.com, which is a service account with "Firebase Admin SDK Administrator Service Agent" in project B, as serviceAccountId and https://{project-b}.firebaseio.com as databaseURL and then create a custom token.
A Google group of which I'm Manager have been granted certain permissions to access certain BigQuery tables. Effectively all user in the group can access to those tables using their personal credentials.
I would like to share those permissions with a service account and access the tables using service account credentials.
Is this possible? How to configure it?
A service account is generally used for Server to Server communication (between applications). With that in mind, a service account has associated an email address just like the ones associated to your personnel. So, you can assign roles/permissions to the service accounts using its email just like you assigned to your group.
I hope that the following steps help you in some manner:
Create a service account.
Assign predefined BigQuery roles (Admin, DataEditor, User, etc).
Download its json file which contains the credentials.
Use those credentials to authenticate and authorize your application.
To add a specific permission (owner, edit or view) on a specific dataset you can use its service account email.