iam role permission for stackdriver console log view - google-cloud-platform

I need to set stackdriver console view permission for set of user.
Currently I have assigned them
roles/logging.viewer
role. But they cannot access the gcp console to view the stackdriver log.
For now I have given them project viewer role to access the log in gcp console.
Can this be done in some other way.

According to the documentation and as mentioned by #pradeep above, the role with the title: “Logs Viewer” if given to a user, the user is indeed granted the permissions to view the Stackdriver Logs in the GCP Logging Console View. You may verify this, as per documentation, in order to view (minimal read-only access) the Stackdriver Logs in the GCP Console, the following permissions are necessary:
logging.logEntries.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
resourcemanager.projects.get
, which are included in the aforementioned role.
I reproduced your case by visiting the “IAM & admin” section in my GCP Console. I added a new member of a gmail account. In the picture below, you may see the available options when adding a new member:
While selecting a role, I typed “log” in the “Type to filter” search field and added the role “Logs Viewer”, as you can see below:
The user with the corresponding email, which I had just added, was able to view the logs in the console by selecting the corresponding project.
Additionally, Google Groups are a convenient way to apply an access policy to a collection of users. My example though was examining one user with a gmail account.
Some additional information that you might find useful:
During my investigation, I figured out that users with the “Logs Viewer” role, will not be able to view the logs using "gcloud logging logs list" command, instead they will receive an error indicating that a permission is missing from the role. The permission needed in order to run the "gcloud logging logs list" command which is "serviceusage.services.usage" permission which is used by "Editor" and project "Owner" role and other roles. I understand this is not your issue, but I mention this as well just in case you encounter it.
There is a Public Issue Tracker about this matter to include the permission “serviceusage.services.use” in role roles/logging.viewer by default so you will not have to do it manually in the future. For now you will need to include the permission manually.
As i am not sure why your users can not view the Logs in the console, since my reproduction was successful, could you please attach a screenshot of the issue and further elaborate on the description of your question?
(for example:
describe the steps of how you are granting the roles/logging.viewer
does your workaround (granting project viewer) allow the users to view the Logs via Console?
do the users or you receive an error while trying to view Logs when roles/logging.viewer was granted?
)

If you give a user roles/logging.viewer permission then they can only view StackDriver service, they cannot access other service for example Storage.
What error do you get when giving only roles/logging.viewer ? Can you attach screenshot as well?

Related

How can i get the logs of roles modifications on some specific IAM user in GCP

I need to know who modified(added or deleted) the roles for some specific IAM user in GCP. I could not get these details in GCP logging even after adding data write in audit logging for IAM permissions.
Are we missing something here?
You need to query either your Cloud project, folder, billing account, or organization for audit logs.
Here you have an example of a query to a Cloud project and filtering just the logs where a particular user is involved:
gcloud logging read "logName : projects/$YOUR_PROJECT_ID/logs/cloudaudit.googleapis.com AND \
protoPayload.response.bindings.members:user#domain.com" --project=$YOUR_PROJECT_ID
Take a look at the official documentation for more information.

Permissions to create OAuth client ID in Google Cloud

I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.

Google Cloud Build - View logs permissions

I am the owner of a project and want to give Permissions to another user to view Logs of Google Cloud Build, but I can not figure out which Role / Permission this user needs.
Roles I've unsuccessfully tried are:
Cloud Build Editor,
Cloud Build Viewer,
Stackdriver Debugger Agent,
Stackdriver Debugger User,
Cloud Trace Admin,
Logging Admin,
Private Logs Viewer,
Logs Viewer,
Monitoring Admin
Google Cloud enterprise support confirmed to me that the only role that currently grants this is the project-level Viewer permission (or Editor/Owner).
One workaround is to set the --gcs-log-dir flag when submitting a build to a bucket you control (rather than the default Google-managed gs://[PROJECT_NUMBER].cloudbuild-logs.googleusercontent.com/ bucket).
They're tracking making a more granular permission in this feature request: https://issuetracker.google.com/issues/134928412, which you can subscribe to updates on.
If you add the project viewer role then this will resolve the issue. But, it seems like this is an issue (or maybe a feature request - to add the necessary permission to the Logs Viewer so that logs outside of the Stackdriver logging page can be viewed in other UIs as well), looking at the documentation it says "roles/viewer (Project Viewer) gives members the same permissions as roles/logging.viewer at the project level. " which means that by just assigning the Logs Viewer then it should have given the user the necessary permission to view the logs at the Cloud Build UI.

Google cloud storage listing files in bucket requires permission for project owner

I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error
You need the storage.objects.list permission to list objects in this
bucket. Ask a project or bucket owner to give you this permission,
then try again.
I'm completely stumped as I'm project owner. Any ideas?
The role roles/owner doesn't grant access to data within buckets.
The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.
On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.
When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.
A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.
In the GCP Console navigate to the IAM Admin menu.
Choose IAM (top menu item)
Select your account.
In the info panel click on Add Role
Add the Storage Object Admin role to your account
Choose Service Accounts menu item from the IAM menu (below Quotas)
Select the compute#developer.gserviceaccount.com or default account.
In the info panel click on Add Member and add your account.
You should now have full access to the Storage Bucket
I remember when I used google storage for speech API, I need to go to IAM console to add "Storage Admin" role to the service account even though I'm the project owner.
I understand that you're not using gsutil. But at this point, maybe give it a try to create the service account and give it the right permission? Hopefully, this will make it work for you.
You can try running this command
gsutil iam ch 'user:myacc#mydoma.in:legacyObjectOwner' gs://mybucket
it's worked for me.
else you can go in I&AM and assign the storage admin role to your account.

How can you give someone access to set permissions without making them a project owner on Google Cloud Platform?

We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).