I want to use GCP Stackdriver for my AWS accounts.
When I go to my workspace settings and click the "Add AWS Account" it gives the following instructions:
Log in to your Amazon IAM console and click Roles
Click "Create New Role"
Select the role type "Another AWS account"
Check the box "Require external ID"
Enter the following:
Account ID: 123456789012
External ID: ab12345678
Require MFA: unchecked
Click "Next: Permissions".
Select "ReadOnlyAccess" from the policy template list and click "Next: Review"
Enter a "Role Name" such as Stackdriver and click "Create Role"
Select the "Role Name" you just entered from the role list to see the summary page
Copy the "Role ARN" value and paste it in the AWS Role ARN field below
I tried that on my AWS account but it's obvious that the IDs aren't real. How can I get the IDs to create my AWS link account?
I'm the GCP project's owner and have permissions to create projects too.
Thanks
By looking the steps mentioned you are trying this document; The ID's are exactly the ones that Stackdriver monitoring is telling you to use to create the role on AWS.
There is some issue with the new UI for Stackdriver Monitoring. To workaround this issue please follow this steps:
On stackdriver Monitoring console you will see a banner at the top
"Stackdriver Monitoring in the Google Cloud Console is Generally Available. This is now the default experience and will be the only experience available by the end of January 2020"
Then click to use classic button to change to the old interface, there you will be able to say why you are changing to the old interface.
Once you get the old interface, go to Workspace Settings (located in your project name on the top/left side of the screen) --> Monitored accounts --> Add AWS account. There you will be able to get the correct Account ID and External ID for your OWN Stackdriver Workspace.
Then continue the steps as the guide say by creating the role on AWS and sharing the ARN to Stackdriver.
Related
I'm trying to launch a compute instance into GCP using the command line:
gcloud compute instances create instance-1 --zone=uscentral1-a
And it tells me that billing is not open for the project:
API [compute.googleapis.com] not enabled on project [847006780503].
Would you like to enable and retry (this will take a few minutes)?
(y/N)? Y
Enabling service [compute.googleapis.com] on project [847006780503]...
ERROR: (gcloud.compute.instances.create) FAILED_PRECONDITION: Billing account for project '847006780503' is not open. Billing must be enabled for activation of service(s) 'compute.googleapis.com,compute.googleapis.com,compute.googleapis.com' to proceed.
- '#type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=390002&project=847006780503&services=compute.googleapis.com&services=compute.googleapis.com&services=compute.googleapis.com
type: googleapis.com/billing-enabled
- '#type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com/billing-enabled
metadata:
project: '847006780503'
services: compute.googleapis.com,compute.googleapis.com,compute.googleapis.com
reason: UREQ_PROJECT_BILLING_NOT_OPEN
I am able to launch compute instances in the console, but not on the CLI.
How do I enable billing for my project so that I can launch instances with the CLI?
To confirm that billing is enabled on your project please follow the next steps:
Sign in to the Google Cloud Console.
In the project drop down ( My Project) at the top of the Google Cloud Console page, select your project.
Open the console Navigation menu , and then select Billing.
If billing is not enabled on the project, a pop-up window will display, with text similar to:
"This project is not linked to a billing account"
If this is your case, you can enable billing on your project following this documentation: Enable billing for an existing project
To re-enable billing on a project, do the following.
Sign in to the Manage billing accounts page in the Google Cloud Console.
Select the My projects tab to view a list of projects and the associated Cloud Billing account for each project.
From the list of projects, locate the project for which you want to re-enable billing, and then click the menu next to it.
Select Change billing, then choose the desired destination Cloud Billing account.
I'm using an AWS student pack provided by my university. I want to switch the location to Bahrain from N. Virginia. Everytime I try to do that I get the following error:
AWS Educate Starer Accounts are very limited.
You can check what is allowed in the link below:
AWS Services Supported with AWS Educate Starter Account
Shortly, you have no access to billing information and many, many other services and options.
you don't need to enter in the Billing area into the console to change to Bahrain.
What you have to do is:
Login on AWS Educate site (https://aws.amazon.com/education/awseducate/)
Right Up corner (AWS Account) inside the AWS Educate portal
Click "AWS Educate Starter Account". It will open another tab, "Workbench".
Click to open "AWS Console"
Now, you are logged on AWS console.
Go to Services, select a services that changes with a region, for example, EC2, RDS, etc., if you see "Global" on right top corner, you cannot change the region to Bahrain, please select another service first, then select the region.
I hope I could help.
I need to disable a service account in Cloud IAM to create Compute Engine instances. Currently the service account has the Editor role on the project.
I tried adding a condition to disable compute/instance using condition builder but it doesn't allow this, saying primitive roles cannot be edited.
Condition Builder is in Beta.
You can remove the editor role and assign the required (custom) role to Service Account.
Open the IAM & Admin page in the Cloud Console. Click Select a
project, choose a project, and click Open.
Identify the service account to which you want to add a role.
If the service account isn't already on the members list, it doesn't
have any roles assigned to it. Click Add and enter the email address
of the service account. If the service account is already on the
members list, it has existing roles. To edit the service account's
roles, click the Edit edit button. Select one or more roles to apply
to the service account.
Click Save to apply the roles to the service account.
Another option is:
Restrict access who can use the Service account.
I am a beginner on Google Cloud and Bigtable, I was wondering if it was possible to setup a service account having admin access to a single bigtable instance ?
If possible I would like to do it from the console.
This is what I use today:
To enable Cloud Bigtable IAM roles, please enable the Cloud Bigtable API via the Cloud Console, which you can find by searching the API Library for "Bigtable".
Once you've done this, the Cloud Bigtable IAM roles will show up, and you will be able to grant Cloud Bigtable IAM roles to service accounts, as you have done in the screenshot for other services.
That said, please note that all of these roles, including the ones in your screenshot, are not instance-specific, they are service-specific, but affect all instances of that service across the entire project.
To assign IAM roles on a per Cloud Bigtable instance level, follow these instructions:
Go to the Cloud Bigtable instances page in the GCP Console.
Check the boxes next to the instances whose roles you want to manage. An information panel appears.
In the information panel, click Permissions.
Under Add members, start typing the email address of the user or service account you want to add, then click the email address of
the user or service account.
Click the Select a role drop-down list, then click Cloud Bigtable to select a predefined role or Custom to select a
custom role.
Click the name of each role that you want to assign.
Click Add. The user or service account is granted the roles that you specified at the instance level.
Instance level permissions are now available and you can assign roles to individual instances. This functionality is accessible via the cloud console by clicking the check box next the Bigtable instance that you would like to configure.
I would like to setup mu Amazon account on Intellij AWS plugin.
I want to be able to access S3 and EC2.
I have the Intellij AWS plugin installed, but I can't figure out how to login with my Amazon credentials.
As you can see here (image below), I can choose an account, but I can't figure out where to set it up.
Screenshot:
Open Settings dialog (File->Settings).
In AWS->Accounts section create a new account and enter account number, access key ID and secret access key. (You can get them in your AWS account profile)
Press "Test Connection" button to verify that your settings are correct.
Press "Apply" after you are finished.