The super admin (in my case, root#my-domain.com) assigned on the admin portal is supposed to receive full GCP privileges without further assignments in IAM, unless the understanding above is incorrect.
From the GCP IAM, however, when creating a new folder, it says "you do not have permission to create folders in this location".
Is there something else I need to do with super admin user in order to give it full privileges? Thank you for the help!
If you want this user to have rights at the Organization level, you must grant them either in the Google Cloud Console, CLI or API. These permissions (roles) are not granted by default. I am assuming that you want rights for the organization and for all folder levels.
Example CLI Command:
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member [USER_EMAIL] --role roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] --member [USER_EMAIL] --role roles/resourcemanager.folderAdmin
To get the ORGANIZATION_ID, look in the Google Cloud Console or via the CLI:
gcloud organizations list
More Information:
gcloud organizations add-iam-policy-binding
Access Control for Organizations
Access Control for Folders
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?
To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.
You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.
You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).
I'm creating a sink by running the following command (as an organization administrator):
gcloud logging sinks create vpc_flow_sink storage.googleapis.com/<storage_bucket_name> --include-children --organization=<organization_id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""
The command executes successfully and outputs the following text:
Created [https://logging.googleapis.com/v2/organizations/<organization_id>/sinks/<sink_name>].
Please remember to grant serviceAccount:o<organization_id>-511237#gcp-sa-logging.iam.gserviceaccount.com the Storage Object Creator role on the bucket.
However, when I go to actually apply the permission to the storage bucket, I cannot find this account (in either the project or within the organization). The accounts also do not appear when I run:
gcloud organizations get-iam-policy <organization_id>
When I describe the sink, the service account exists within the writerIdentity field:
gcloud beta logging sinks describe vpc_flow_sink --organization <organization_id>
...
writerIdentity: serviceAccount:o<organization_id>-511237#gcp-sa-logging.iam.gserviceaccount.com
...
For reference, to try debug this issue, I've attached the following roles: Organization Role Administrator, Logging Admin, Owner, Project Owner, Organization Administrator, Storage Admin.
I am genuinely lost on what to do, how do I go about granting the bucket the role to this account?
When applying the permission to you export destination, don't copy:
serviceAccount:o<organization_id>-511237#gcp-sa-logging.iam.gserviceaccount.com
but instead just use everything after serviceAccount:
o<organization_id>-511237#gcp-sa-logging.iam.gserviceaccount.com...
Google will then recognize the service account. However, I still cannot detect it via gcloud organizations get-iam-policy <organization_id>
I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?
You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the gcloud CLI you can create a custom role with
gcloud iam roles create, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer, for the
project ID example-project-id-1, containing only the permission
storage.buckets.get. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1#example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1 with your project ID, and
test-proj1#example.domain.com with the actual name of the service
account you want to assign the role to.
You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.
There are several ways my user can get privileges in a Google Cloud Platform project. Direct role and privilege assignment, act as service accounts, different group membership.
So given a GCP project, how can I list the active privileges for my user?
Usually, in GCP, they are called "Permissions". For ease of use, those permissions are grouped in "Roles".
Each user can have different roles in your project. To get a full list of the accounts having each role in a project, you can use the Resource Manager API to get the IAM policies.
Long story short, make sure that gcurl is properly configured and just run the following command, filtering the output according to your needs:
curl -XPOST https://cloudresourcemanager.googleapis.com/v1/projects/$(gcloud config get-value project):getIamPolicy -d'{}' -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json'
gcloud projects get-iam-policy $PROJ \
--flatten="bindings[].members" \
--format='table(binding.role)' \
--filter="bindings.members:user:$USER"
USER is like email (me#org.com), PROJ is like project-123456.
UPDATE To search across all resources:
gcloud asset search-all-iam-policies --query=policy:$EMAIL