Please how can one know which email address i used for opening a GCP account based on the server IP ? I registered a GCP account months ago but can't remember which email was used.
If you can login to the server and that server has permissions to query IAM then you can list all the IAM members of the project. From the list you can infer which email you used.
If you can login to the server in a GCP Project then you can run following to get the project id:
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/project/project-id"
Then,You can run
gcloud projects get-iam-policy YOUR_GCP_PROJECT_ID
Also, if you remember the credentials of other gmail account which you mentioned in comment, you can login with those credentials to GCP Console and then look all the members in IAM section.
Hope this helps.
Related
I used the below command to Authenticate in MAC OS terminal
gcloud auth login
It redirects to the google login page and show the authentication process successful.
While using the command
gsutil -i fetebird-storage#fetebird.iam.gserviceaccount.com ls
Getting an exception as
AccessDeniedException: Service account impersonation failed. Please go to the Google Cloud Platform Console (https://cloud.google.com/console), select IAM & admin, then Service Accounts, and grant your originating account the Service Account Token Creator role on the target service account.
However, on the cloud I do have given the permission as shown below
Auth List
The current logged in user (fetebird#gmail.com) must have the Service Account Access Token Creator role.
You might think the owner role would be sufficient, however, when I tested this myself you need to explicitly add it to the account that is impersonating the service account.
https://cloud.google.com/iam/docs/service-accounts#token-creator-role
I ignorantly deleted the service account to my GCP project rather than the service account to Google Calendar API and Dialogflow service account.
I'm now having issues trying to deploy my dialogflow agent through the inline code editor to Cloud Functions.
When I check the logs, I get this message:
2020-07-30 15:48:40.350 WAT
Dialogflow API
CreateCloudFunction
us-central1
bashorun.emma#gmail.com
userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist.
Please recreate this account (for example by disabling and enabling the Cloud Functions API),
or specify a different account.;
com.google.cloud.eventprocessing.manager.api.error.DefaultServiceAccountDoesNotExistException: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; Code: FAILED_PRECONDITION com.google.apps.framework.request.StatusException: <eye3 title='FAILED_PRECONDITION'/> generic::FAILED_PRECONDITION: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist.
Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; com.google.cloud.eventprocessing.manager.api.error.DefaultServiceAccountDoesNotExistException: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; Code: FAILED_PRECONDITION
Is it possible to retrieve back the service account or am I getting these errors as a result of a different problem?
After a service account is deleted, you can recover it between 30 days after its deletion.
To do it, you can run the following command from cloud shell:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The account ID can be taken from stackdriver logging with the following filter
resource.type="service_account"
resource.labels.email_id="service-account-name"
"DeleteServiceAccount"
Hope this helps to recover your service account.
Recover App Engine or any deleted service account
You can undelete service accounts. You will need the service account's unique ID. If you don't have it, you can find it on Google Cloud Logging.
You can find Logging service here on the side menu:
Then you will need to filter by date and type service account to find the exact moment the service was deleted.
Then you can either
Option 1: Use Google Cloud Command Line
You can run the command line by installing it on your computer (https://cloud.google.com/sdk/docs/install). Or you can run it online using the Active Shell offered by Google Cloud Platform.
The command you want to run is the following.
gcloud beta iam service-accounts undelete 12345678901234567890
Option 2: Use Google Cloud API
Using curl, call the API with the following command.
You will need to change API_KEY, PROJECT_ID and SERVICE_ACCOUNT_UID for real values.
curl -X POST \
-H "Authorization: Bearer API_KEY \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_UID:undelete"
You can get the API_KEY from Google Cloud Command Line:
gcloud auth application-default print-access-token
Again you can either have gcloud installed on your local machine or you can use it online with the Active Shell.
Trying to use OS-login from my account, which has the owner role and compute os login admin role to connect to an instance with enable-oslogin TRUE. This used to work well (maybe a week or more ago), but lately it has been giving me this error.
This is within the same organization, same project. So not sure where the error is coming from.
Did GCP change their OS-Login feature? I am unable to find anything in the release notes.
gcloud compute ssh instance
ERROR: (gcloud.compute.ssh) User [user] does not have permission to access user [user:importSshPublicKey] (or it may not exist): Insufficient IAM permissions. The instance belongs to an external organization. You must be granted the roles/compute.osLoginExternalUser IAM role on the external organization to configure POSIX account information.
The GCP message is saying that you are running the gcloud tool with a credential that don’t belongs to the same organization from the project.
Try to run “gcloud auth list” to validate the authenticated user.
If the user is incorrectly select run the gcloud config command to change the logged user or gcloud auth login to log with the proper credentials.
I wish that this can help you,
Eduardo Ruela
I am learning GCP and have the following question in regarding copying object into a bucket.
In Cloudshell I ran gsutil cp earthquakes.* gs://welynx-test1 and errored out:
Copying file://earthquakes.csv [Content-Type=text/csv]...
AccessDeniedException: 403 Insufficient Permission
I am logged in via SSH already so I checked the identity with whoami
xenonxie#instance-1:~/training-data-analyst/CPB100/lab2b$ whoami
xenonxie
And then I proceeded with editing the bucket's permission:
I added an email address to the Storage Admin member.
I then run gcloud auth login, and was prompted a link and clicking on the link takes me to browser where I log in with an email address, and then I will get a verification code to paste back to SSH window, and then became logged in as that email user:
You are now logged in as [xenonxie # gmail.com]. Your current project
is [rock-perception-263016]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
Question1:
What I don't understand is: I still see the same whoami as below:
xenonxie#instance-1:~/training-data-analyst/CPB100/lab2b$ whoami
xenonxie
Because I added the email in bucket permission as Storage Admin, I am able to save object into that bucket.
Question2:
I believe it is not needed to be Storage Admin, all I want is to write an object into that bucket. What is the best practice to do that?
Thank you very much.
Question 1":
You see the same whoami because that command is ran on the instance's shell so it is answering the session on instance-1.
Question 2:
Yes, you are right. If you are using the principle of least privilege as Storage admin is a role with more privileges than needed is not the best option.
As the use case you describe is only to write on the bucket you can use storage.objectCreator or roles/storage.legacyBucketWriter depending if you need to navigate in the bucket or don't.
To get more details about the roles available you can check this page
EDIT
To see the Google Cloud Platform Account being used you can use gcloud auth list and under you will get a list of accounts and one will be marked as active. The one marked as active is the one being used.
Question 1: whoami would output your Login username using with you Logged in on the machine. Use gcloud auth list command to check currently authorised User/Service account on machine.
Question 2: Storage Admin permission is not needed. storage.legacyBucketWriter permission would be sufficient.
Hope this helps.
I have .crt, .csr and .key file in ssl_cert directory of my gcloud VM. While creating a SSL Certificate I am using following command -
gcloud compute ssl-certificates create SSL_CERTIFICATE --certificate
/home/USER/ssl_cert/ssl.crt --private-key /home/USER/ssl_cert/ssl.key
and after executing the above command I get below error -
ERROR: (gcloud.compute.ssl-certificates.create) Some requests did not
succeed:
- Insufficient Permission
Can someone please help in resolving this basic error?
Run this gcloud command on your SSH terminal
gcloud auth login
A login link will be generated for you in the SSH, click on it, it will require you to login with the gmail account that owns the project. A code will be generated for you after login, copy and paste it back in your SSH terminal on the line where you have
Enter verification code :
Then hit the enter button, permission will be granted.
Try to rerun your initial command that returned insufficient permission.
Your issue seems to be related to this post:
gcloud compute list networks error: "Some requests did not succeed: - Insufficient Permission"
The solution suggested in the above post is to run the command: gcloud auth login. This will generate an authentication url. Copy and paste this url to your browser. It should return an authentication code. Enter this code in your command shell
"Insufficient permission" is returned by the web interface if you have not yet validated the domain for which you are uploading the certificate. I.e. if you are uploading a certificate for example.com you must have demonstrated that you own example.com.
To to this, using the GCloud web interface navigate to APIs & Services -> Credentials, and then click on Domain Verification. Then Add a domain. This will take you to a set of tools to allow you to validate that you own the domain. (In my case I added a TXT field in the DNS record.)
With this done, you can upload a certificate for that domain.
As per your question, you don't have full access to your server. Please ask your hosting provider to get you the full access for the same.