How can I disable a GCP Service Account to create VM instances? - google-cloud-platform

I need to disable a service account in Cloud IAM to create Compute Engine instances. Currently the service account has the Editor role on the project.
I tried adding a condition to disable compute/instance using condition builder but it doesn't allow this, saying primitive roles cannot be edited.

Condition Builder is in Beta.
You can remove the editor role and assign the required (custom) role to Service Account.
Open the IAM & Admin page in the Cloud Console. Click Select a
project, choose a project, and click Open.
Identify the service account to which you want to add a role.
If the service account isn't already on the members list, it doesn't
have any roles assigned to it. Click Add and enter the email address
of the service account. If the service account is already on the
members list, it has existing roles. To edit the service account's
roles, click the Edit edit button. Select one or more roles to apply
to the service account.
Click Save to apply the roles to the service account.
Another option is:
Restrict access who can use the Service account.

Related

What IAM role allows a GCP user to open a Compute Engine SSH connection via the "SSH" button in the browser?

There's an "SSH" button that appears next to each VM that opens a terminal session in a new browser window if it's clicked.
It works for me if I have the project owner role, but anything less causes the button to be disabled.
Works:
Owner
Doesn't Work (All Combined):
App Engine Admin
BigQuery Admin
BigQuery Resource Admin
Cloud Functions Admin
Cloud SQL Admin
Compute Admin
Compute Instance Admin (v1)
Compute Network Admin
Compute OS Admin Login
Compute OS Login
Deployment Manager Editor
Logs Viewer
Project IAM Admin
Secret Manager Admin
Service Account Admin
Service Account Key Admin
Service Account User
Storage Admin
Viewer
Is there a role that's less than Owner that I can apply to myself and still get the "SSH" button to be enabled?
The documentation suggests these should be enough but they aren't resolving this issue:
Compute OS * Login
Service Account User
Thanks.
Access for project-level and above is managed in the IAM admin page, but will be displayed in the IAP admin page.
If you want to use an account without "Owner" as permission, you will need to add an "IAP-secured Tunnel User" role . Members who do not have this role "IAP-secured Tunnel User" won’t be able to see the SSH Button enabled. If you're using IAP to control access to administrative services like SSH and RDP, users will need the iap.tunnelInstances.accessViaIAP permission.
In order to solve this issue you will need to add the role "IAP-secured Tunnel User" to the user which has "Editor" as permissions. After 3-5 minutes, you will be able to see the SSH Button enabled. Once the permission is applied, the button will get active.
I believe that the eng team could have changed something in the SSH connection button, which now makes further permissions (contained in that role) mandatory.
Also check if the OS login is enabled. Because after you enable OS Login on one or more instances in your project, those VMs accept connections only from user accounts that have the necessary IAM roles in your project or organization.
To allow OS Login access to these VMs, you need to grant the necessary roles to the user. You can grant the instance access role at the project level or at the instance level. If a user requires SSH access from Google Cloud console or gcloud CLI, you must grant the instance access role at the project level, or additionally grant a role at the project level that contains the compute.projects.get permission.
Refer Resources and Permissions and Granting OS login IAM roles for more information.

Google cloud project to service account to user roles mapping creation

I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).

How to use GCP Service Account User Role to create resource?

On GCP document:
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
So I would like to try this feature:
Create a project
Add testuser#example.com to the project and grant Viewer role.
Open a new browser and login into GCP console with testuser, and confirmed that the user can only view instances and cannot create instance.
Add a service account: sa-name#project-id.iam.gserviceaccount.com, and grant Compute Admin role, so this service account can create instance.
Grant testuser#example.com with service account user role to this service account.
So per above GCP document, I expect testuser#example.com can create instance, but the Create instance button remains disabled.
Then I grant testuser#example.com with service account user role in project level, still the Create instance button remains disabled.
So what is wrong?
Am I understanding wrong? grant testuser#example.com with service account user role does not give testuser the ability to create instance?
Am I doing something wrong?
How can I create instance by service account user?
The impersonate works with the command line when you explicitly ask the gcloud CLI to use impersonification. But it's not active by default and thus doesn't work on the GUI.
Try a gcloud command with the param --impersonate-service-account=<ServiceAccountEmail>
Note: you need to grant the "service usage consumer" role on the user at the project level, and the "service account token creator" role on the user at the service account level (or at the project level if you want to impersonate all the service account of the project). More detail in this blog post of John Hanley

How can you give someone access to set permissions without making them a project owner on Google Cloud Platform?

We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).

How to have a service account per bigtable instance?

I am a beginner on Google Cloud and Bigtable, I was wondering if it was possible to setup a service account having admin access to a single bigtable instance ?
If possible I would like to do it from the console.
This is what I use today:
To enable Cloud Bigtable IAM roles, please enable the Cloud Bigtable API via the Cloud Console, which you can find by searching the API Library for "Bigtable".
Once you've done this, the Cloud Bigtable IAM roles will show up, and you will be able to grant Cloud Bigtable IAM roles to service accounts, as you have done in the screenshot for other services.
That said, please note that all of these roles, including the ones in your screenshot, are not instance-specific, they are service-specific, but affect all instances of that service across the entire project.
To assign IAM roles on a per Cloud Bigtable instance level, follow these instructions:
Go to the Cloud Bigtable instances page in the GCP Console.
Check the boxes next to the instances whose roles you want to manage. An information panel appears.
In the information panel, click Permissions.
Under Add members, start typing the email address of the user or service account you want to add, then click the email address of
the user or service account.
Click the Select a role drop-down list, then click Cloud Bigtable to select a predefined role or Custom to select a
custom role.
Click the name of each role that you want to assign.
Click Add. The user or service account is granted the roles that you specified at the instance level.
Instance level permissions are now available and you can assign roles to individual instances. This functionality is accessible via the cloud console by clicking the check box next the Bigtable instance that you would like to configure.