On GCP document:
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
So I would like to try this feature:
Create a project
Add testuser#example.com to the project and grant Viewer role.
Open a new browser and login into GCP console with testuser, and confirmed that the user can only view instances and cannot create instance.
Add a service account: sa-name#project-id.iam.gserviceaccount.com, and grant Compute Admin role, so this service account can create instance.
Grant testuser#example.com with service account user role to this service account.
So per above GCP document, I expect testuser#example.com can create instance, but the Create instance button remains disabled.
Then I grant testuser#example.com with service account user role in project level, still the Create instance button remains disabled.
So what is wrong?
Am I understanding wrong? grant testuser#example.com with service account user role does not give testuser the ability to create instance?
Am I doing something wrong?
How can I create instance by service account user?
The impersonate works with the command line when you explicitly ask the gcloud CLI to use impersonification. But it's not active by default and thus doesn't work on the GUI.
Try a gcloud command with the param --impersonate-service-account=<ServiceAccountEmail>
Note: you need to grant the "service usage consumer" role on the user at the project level, and the "service account token creator" role on the user at the service account level (or at the project level if you want to impersonate all the service account of the project). More detail in this blog post of John Hanley
Related
There's an "SSH" button that appears next to each VM that opens a terminal session in a new browser window if it's clicked.
It works for me if I have the project owner role, but anything less causes the button to be disabled.
Works:
Owner
Doesn't Work (All Combined):
App Engine Admin
BigQuery Admin
BigQuery Resource Admin
Cloud Functions Admin
Cloud SQL Admin
Compute Admin
Compute Instance Admin (v1)
Compute Network Admin
Compute OS Admin Login
Compute OS Login
Deployment Manager Editor
Logs Viewer
Project IAM Admin
Secret Manager Admin
Service Account Admin
Service Account Key Admin
Service Account User
Storage Admin
Viewer
Is there a role that's less than Owner that I can apply to myself and still get the "SSH" button to be enabled?
The documentation suggests these should be enough but they aren't resolving this issue:
Compute OS * Login
Service Account User
Thanks.
Access for project-level and above is managed in the IAM admin page, but will be displayed in the IAP admin page.
If you want to use an account without "Owner" as permission, you will need to add an "IAP-secured Tunnel User" role . Members who do not have this role "IAP-secured Tunnel User" won’t be able to see the SSH Button enabled. If you're using IAP to control access to administrative services like SSH and RDP, users will need the iap.tunnelInstances.accessViaIAP permission.
In order to solve this issue you will need to add the role "IAP-secured Tunnel User" to the user which has "Editor" as permissions. After 3-5 minutes, you will be able to see the SSH Button enabled. Once the permission is applied, the button will get active.
I believe that the eng team could have changed something in the SSH connection button, which now makes further permissions (contained in that role) mandatory.
Also check if the OS login is enabled. Because after you enable OS Login on one or more instances in your project, those VMs accept connections only from user accounts that have the necessary IAM roles in your project or organization.
To allow OS Login access to these VMs, you need to grant the necessary roles to the user. You can grant the instance access role at the project level or at the instance level. If a user requires SSH access from Google Cloud console or gcloud CLI, you must grant the instance access role at the project level, or additionally grant a role at the project level that contains the compute.projects.get permission.
Refer Resources and Permissions and Granting OS login IAM roles for more information.
I created a new VM in a google compute engine project. I changed the "Compute Engine" access scope to "Read Write" after creating the VM.
On the existing (long-running) VM, if I do:
gcloud iam service-accounts list
I see the default service account for the project.
However, if I do the same thing on the newly created VM, I get an error:
gcloud iam service-accounts list
ERROR: (gcloud.iam.service-accounts.list) User [<service-account>] does not have permission to access projects instance [<project>] (or it may not exist): Request had insufficient authentication scopes.
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly created from a google image.
If I look at the project IAM roles, my user has the following roles:
- Access Approval Config Editor
- Compute Admin
- Role Viewer
- Service Account Admin
- Owner
- Organization Administrator
What am I missing?
The access scopes for the two VMs are the same:
- Compute Engine Read Write
- Service Control Enabled
- Service Management Read Only
- Stackdriver Logging API Write Only
- Stackdriver Monitoring API Write Only
- Stackdriver Trace Write Only
- Storage Read Only
What controls access for the individual VMs other than the access scopes?
The problem was the SSH window was running under the service account, not my normal user account. I needed to run
gcloud init
to reconfigure to use my regular account.
I discovered this by doing
gcloud config list
on both machines.
PART 1
What controls access for the individual VMs other than the access
scopes?
The union of Compute Engine Scopes and service account permissions.
Google Compute Engine scopes limit permissions, scopes do not grant permissions.
The service account assigned to Compute Engine determines the permissions/roles that are available. Scopes can limit those permissions granted to the service account. Scopes cannot grant permissions that the service account does not already have.
Scopes are a legacy authorization mechanism.
PART 2
gcloud iam service-accounts list ERROR:
(gcloud.iam.service-accounts.list) User [] does not
have permission to access projects instance [] (or it may not
exist): Request had insufficient authentication scopes.
Part of this message is confusing to most people. Scopes are a legacy authentication mechanism that Google used before IAM. Scopes are similar to permissions and in this message mean OAuth 2 Permissions.
The command gcloud iam service-accounts list requires the permission iam.serviceAccounts.list which is present in roles such as roles/iam.serviceAccountUser named Service Account User. The service account mentioned in the error does not have one of the roles granting the permission to list service accounts or the Scopes are limiting a permission granted to the service account. Read my recommendation at the end.
Service Account Roles
Part 3
If I look at the project IAM roles, my user has the following roles:
The roles assigned to the user are not related to the roles assigned to the Compute Engine service account.
If you logged into Compute Engine using SSH and did not do anything else to authenticate then you are using Compute Engine Default Service Account credentials. Service Account and Scopes affect your permissions.
If you logged into Compute Engine using SSH and you use your own account for authentication (gcloud auth login or similar) then your user identity is using the the permissions granted to your user account and not the Compute Engine Default service account credentials.
Part 4
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly
created from a google image.
If the scopes are the same for both VMs, then your issue is the service account. Normally Compute Engine VMs use the Compute Engine Default Service Account. You can change which service account is assigned to each VM. Double check what is assigned to each VM.
Summary
I recommend that you set the scopes to Allow full access to all Cloud APIs and control the permissions via roles granted to the service account. Do not use roles such as Project Owner or Project Editor. Those roles are very powerful. Use fine grained permissions for each Google Cloud service that Compute Engine needs to access.
I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).
what's the equivalent of AWS account number in Google cloud ?
If the user adds 2 service accounts to a portal, how to validate if the service accounts belong to different accounts or a single account.
AFAIK in GCP there's no account ID.
By reading the AWS documentation looks like the concepts are slighty different in GCP and in AWS.
As I understand, you want to identify if a service account in GCP belongs to an account, the thing here is that service accounts in GCP do not belong to any account.
Quoting from the documentation:
One of the features of IAM service accounts is that you can treat it both as a resource and as an identity.
When treating the service account as an identity, you can grant a
role to a service account, enabling it to access a resource (such as
a project).
When treating a service account as a resource, you can grant permission to a user to access that service account. You can grant
the Owner, Editor, Viewer, or Service Account User role to a user to
access the service account.
Example of how service accounts work in GCP as an identity:
Let's say that I have 2 GCP projects where I am owner in both
projects:
projectA where I am owner with my email owner-of-project#gmail.com
projectB where I am owner with my email owner-of-project#gmail.com
I log into projectA with owner-of-project#gmail.com and from there I create a service account:
Service account name: service-account-project-A
Role of the service account (permissions): "Compute Engine Admin" (meaning that this service account will have only access to Compute Engine resources within projectA).
Service account ID: service-account-project-a#projectA.iam.gservice
I can choose to generate a private key for this service account
I can also choose to enable G Suite Domain-wide Delegation
Then I can log into projectB with owner-of-project#gmail.com.
Once there I can add the service account as a member of projectB so the Compute Engine resources within project A will be reachable from projectB.
What you can do is list all the service accounts that are added in a particular project in the Service Accounts section of GCP Console.
We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).