I am trying to find a api to know the cloud account owner email address in case of aws cloud account . can some one help ? i see a api for the case where account belongs to aws organisation , my requirement is ,I need the api for stand alone aws accounts , any help is highly appreciated.
Currently it's not possible to use programmatic methods to access email address of Root user of a standalone AWS account. You must log in to the console using Root credentials to view or update the email address.
Related
I'm working with multiple Google Cloud projects and need to impersonate multiple users to perform certain actions on their behalf.
My question is, is it possible to impersonate from an impersonated Google account in Google Cloud? If so, what is the best way to achieve this? I know on AWS you can "double assume" a role with the STS service.
I've tried searching for information on this topic, but I haven't been able to find any clear answers also tried to do this in the python SDK but could not succeed:
Lets say we have service account A with TokenCreator role on Service Account B with TokenCreator role on service account C.
from google.auth import impersonated_credentials
service_account_b_impersonated_credentials = impersonated_credentials.Credentials(
source_credentials=source_credentials_a,
target_principal=source_credentials_b,
target_scopes=[],
lifetime=500,
)
service_account_c_impersonated_credentials = impersonated_credentials.Credentials(
source_credentials=service_account_b_impersonated_credentials,
target_principal=service_account_c,
target_scopes=[],
lifetime=500,
)
but when using the new credentials, I can't really do anything.
In the CLI I know I can use the --impersonate flag when executing an action such as list vms however didn't find a CLI command equivalent to STS on AWS to really act as the principal for all actions
Any help or guidance would be greatly appreciated.
Thank you!
I have another PC which has AWS CLI setup. I can still access the account and when I do aws s3 ls it lists all the buckets that I have. However, this is not connected to my current AWS root account. I don't know which account this AWS CLI credential belong to
Is there any possible way to recover or a hint so I can get the email address of the root account this CLI profile associated with?
I have tried aws sts get-caller-identity but I can't still figure out what my root email is
Edit: I found a user that I can sign in to the web console, but is there any way to recover the root's email address?
I have tried live chat with AWS billing and account, but they are unable to help.
In summary my situation is:
I have an account with access to AWS CLI and web console
This account is not the root account
How can I recover my root account?
If your AWS accounts are attached to an AWS Organisation, you can also see the aws root email address in the OU screen in the tree view:
https://us-east-1.console.aws.amazon.com/organizations/v2/home/accounts
This should list the root email of all of your Organisations associated accounts.
you can recover the root email, by creating an Organization if the account is not in Organization yet.
it will show the account's root email then in the Organization interface.
You can get the account id of your credentials with STS.
With AWS IAM CLI you can get the users which you can try to login with. It might be that a email address is used as username
To answer my own question, no it is not possible to recover the email of the root account for security reason
Not even AWS account support is able to help. I'm not sure if it can be escalated somewhere, but I can imagine the process will not be straightforward and taking into account it's a personal account, I don't think it's worth it
So my advice to those having the same question:
If you have a non root user with admin privilege, disable all running services to avoid incurring future charges
simply create a new account
I know it's not the ideal solution, but I don't think there's any other way
I wanted to setup my cloud identity but its asking me to verify the domain that is already hosted on GCP. Can you help me with Cloud Identity setup with a proper organisation created (today its named "No Organisation"). I'm the admin for this account DOMAIN: we host our Corporate website on GCP with domain already registered with DNS services in google.
on the GCP Identity page its also giving me the following message.
Your current account, k*****.***a#DOMAIN.NL, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist.
I guess I'm stuck in a Chicken-n-Egg problem.
You need to create a Google Workspace account. Create it on your domain DOMAIN.NL, with you as 1st admin user and with subscription plan or not (in my case, I wasn't able to remove the 15 days of trial. Get it, you will be able to remove the trial subscription later (in the user list) on the admin.google.com Workspace console). You are able to create your org for free, but it's absolutely not clear!!
From the new user account that you have created on your Workspace domain (you#DOMAIN.NL), you will be able to reach the console (console.cloud.google.com) and you have your org.
Now you need to migrate the projects and to review the authorization. You also need to (re)create a Billing Account.
I didn't find another way to achieve this.
Can someone help me to understand about service accounts ? how can we check using AWS CLI?
Here is the description from the official documentation:
An IAM user is a resource in IAM that has associated credentials and
permissions. An IAM user can represent a person or an application that
uses its credentials to make AWS requests. This is typically referred
to as a service account.
Here is the sample code
import boto3
client = boto3.client('iam',aws_access_key_id="XXX",aws_secret_access_key="XXX")
users = client.list_users()
for key in users['Users']:
print key['UserName']
The notion of a 'service account' is not an AWS thing. In IT generally, it's a user account specifically set up with long-term credentials that a server can use (as opposed to a person).
This is a bad thing. You don't ever want long-term credentials on your servers (and certainly not in your code or configuration). You should use auto-rotating credentials, such as available via IAM roles.
We are doing some development that involves BigQuery. One of our consultants does not have an account and does not have an email in our domain. Is there a way of granting him access?
Cheers,
Cris
Google cloud only accept a google account as a valid account, be it a google group, a gsuite account or a service account.
The best use case would be to generate a service account, and let him use this account with the gcloud sdk using the GOOGLE_APPLICATION_CREDENTIALS env variable.
In the case he would not be able to use the service account or if the product is not really friendly in the gcloud cli (I don't know much about bigquery), you could create a personnal account in your organization for him to used, or you could authorized his personal gmail account (check if 2fa is activated... We never know)...