Grant users from CloudSQL instance IAM permissions to Cloud Storage objects - django

I have a question about GCP and this Django app I am making. I am using Google cloud storage to hold documents that I need to provide access permissions for to my users, but I can't think of how to link users from my app (being saved to CloudSQL-PostgresSQL) to my Google Cloud project.
This feels like it should be an easy case to handle, but i'm used to services like Cognito handling this for me.
Should I make a service account for every user?

Related

Using GCP's IAM to manage users and roles in a webapp

We're designing a complex web application what will be deployed on Google Cloud Platform.
As often happens, this web application needs to identify its users and render some dedicated sections of the GUI only to users with predefined roles. I.e. user "John" with roles "seller,sales" can access the web page listing the cars sold last month.
The question is, do you think I can use GCP's IAM to manage the webapp users and roles? Maybe adding new roles in GCP? (I don't know if that's feasible).
Our current idea is to deploy a Keycloack instance to manage users and roles, but if GCP's IAM can replace it... why not?
[EDIT] A possible duplicate of this question: How can Google IAM be used to manage authentication and authorization for a Spring Boot application

Google Cloud Project Service Accounts

I am using a Google Cloud Project to automate the creation of some users inside of our organization. I have been using some API's that are hosted using the Google Cloud and have had no problem authenticating and using the API's, however I am not sure if I should be using a service account for this. I am currently using the Google Drive API, the Google Admin SDK(Directory API), the Sheets API, and the Docs API to create some accounts and manage an error log.
What I am asking is, should I be creating a service account to use the API's or is my own personal Google Workspace account okay for creating these? Is there a site/video/something that can guide me in the right direction if I do need to create a service account. I personally would rather have all of the automation using a service account for authentication, but the only videos and tutorials I found on using the service accounts are trying to use resources pertaining to Cloud Computing and service accounts that are impersonating other service accounts.
Using a Service Account is the best course of action for security reasons when you are the one giving authorization and authentication to your organization.
It is identical to granting access to any other identity to allow a service account access to a resource. For instance, suppose you only want an application that runs on Compute Engine to be able to generate items in Cloud Storage.
As a result, instead of managing each and every one of your users, you may limit and manage service accounts, assign certain roles to specific users or groups, and keep track of them because several service accounts can be created in a project.
Since you use Google Workspaces, I also advise you to read the shared documentation posted in the comments by #John Hanley.

Allow an external user to use Google Cloud Plataform account

I created an account on Google Cloud Platform, but another user will need access to this account to work with me on managing the virtual machines.
How can I grant this access for this user to have access to a specific project?
I know that Google Ads and Google Analytics have options for this type of operation, but I haven't found anything similar on Google Cloud Platform.
Anyone accessing a GCP project will require a google account, but it need not be associated to your organization.
You can then add the user in the GCP IAM screen simply using their email address.
Then, add the user's email with appropriate roles. To work on the VMs, they will need Compute Admin role.
Once granted access, they will be able to use the gcloud commands or pantheon UI to administer the instances and gain access to the consoles.

How to resolve GCloud permissions?

I am trying to publish my Android app to our company's Play Store.
On Google API access page
I am trying to create new service account. It does not work.
You are missing at least one of the following required permissions:
Project
orgpolicy.policy.get resourcemanager.projects.get Check that the
folder, organization, and project IDs are valid and you have
permissions to access them
My GCP shows myname#github.com google account.
On the other side,Google API(Google Play Console) shows MYCOMPNAY Team account.
How to solve this IAM problem?
I'll do my best to answer but the question lacks some detail.
As the error describes, service accounts are a distinct type of credential used by Google that are intended to be used by software (rather than humans) for interacting with Google services. It makes some sense (though I'm unfamiliar with the Play process) that you'd need to use service accounts rather than human accounts with this service.
Unlike, regular (human) accounts (e.g. yourname#github.com), service accounts are owned by Google projects. When you create a service account, you'll need to scope the account to an existing Google project.
Google provides various Consoles for different services. I'm most familiar with Google Cloud Platform (GCP) and so I would create projects and service accounts using GCP's CLI (Cloud SDK aka gcloud) or https://console.cloud.google.com. Are you using something similar?
Unfortunately, I think, Google's tools scope projects (even though these are universal Google resources) to specific platforms (Cloud, Firebase, Apps etc.) and so you may not be able to see all your projects via the e.g. Cloud Console.
So....
If you have a Play (!?) Console, there should be a mechanism to list|create projects. If you haven't already, created a project to own your service account. Then the tool should provide a mechanism to create a service account. Do so under that projects. Lastly, you'll need to grant the service account permissions so that it can do what you need it to do (e.g. publish your app).
If you add more details to your question, I may be able to help.
NOTE One distinction between human (e.g. yourname#github.com as a Google account) and a service account is that human accounts using 3-legged OAuth while service accounts use 2-legged OAuth. This is because the service account is not able to interact with OAuth prompts as a human user would and it is often a good "tell" when you need to use a human vs. a service account.
See:
Google Play: (API) Projects and Service Accounts
Understanding Service Accounts
Using OAuth for Server-to-Server apps

Using Google Cloud KMS on behalf of user

I have a CLI tool that interacts with Google KMS. In order for it to work, I fetch the user credentials as a JSON file which is stored on disk. Now a new requirement came along. I need to make a web app out of this CLI tool. The web app will be protected via Google Cloud IAP. Question is, how do I run the CLI tool on behalf of the authenticated user?
You don't. Better use a service-account and assign the required role. That service account still could have domain-wide delegation of rights (able to impersonate just any user, which is known).
Running CLI tools from a web-application probably also could/should be avoided. Iit might be better to convert his CLI tool into a Cloud Function and then call it via HTTP trigger, from within the web-application (so that access to the service account is limited as far as possible).
This might also be something to reconsider, security-wise:
I fetch the user credentials as a JSON file which is stored on disk.
Even if it might have been required, with a service-account it wouldn't.