We Keep Coding

Adding apikeys.keys.getKeyString (alpha) permission to custom IAM role in GCP

I have been trying to create a custom IAM role attached with the permission apikeys.keys.getKeyString which is in alpha stage. I am not able to see this permission listed under the options to add it to the custom role.
This is the error I am getting when running a script -
ERROR: (gcloud.alpha.services.api-keys.get-key-string) PERMISSION_DENIED: Permission 'apikeys.keys.getKeyString' denied on resource 'xxxxxxxxx'
However, when attaching the predefined role - API Keys Viewer, I am able to successfully run my script without an error. I assume that the permission apikeys.keys.getKeyString is added to the predefined role by default. Is there any way I can have this permission added to my custom role? Alternatively, is there another way I can get the API Key string using a standard permission instead of an alpha stage permission?

According to the current Understanding Roles, the predefined role, API Keys Viewer includes just:
apikeys.keys.get,
apikeys.keys.list,
apikeys.keys.lookup.
You could try adding those permissions to your custom role to see if it works.
If not, you can make your custom role based on an existing role that does work, then add and remove any permissions you wish to change.
When the feature comes out of alpha, there may be other options.

How To Grant GCP Organization Level Permissions to Service Account via Command Line

I'm trying to create a data source in terraform to get information about a Google billing account.
data "google_billing_account" "ac" {
display_name = "foo-Billing"
open = true
}
But terraform throws the error Error: Billing account not found: foo-Billing which looks like my service account lacks the required permissions to do this, as the billing account definitely exists.
I'm able to run this command
gcloud projects add-iam-policy-binding main1-project --member=serviceAccount:$ID --role=roles/ROLE_NAME
which works fine with just about any other role binging except that of billing.admin which throws the error
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role (roles/billing.admin) does not exist in the resource's hierarchy.
I'm faily new to GCP so I"m not sure how to go about fixing this.
Is there a way to grant billing.admin permissions to a service account from the command line?
Maybe another API to call or something.
I'm able to grant the permission from the UI which then makes my terraform command work, but I would like to be able grant it from the command line.

You're getting this error because you're trying to assign the billing admin role from the project level but it can only be done at the organization level.
If you have an organization, then the same command should work with a slight tweak.
gcloud organizations add-iam-policy-binding ORGANIZATION --member=serviceAccount:$ID --role=roles/billing.admin
You should be able to get a list of your organizations using
gcloud organizations list
If you don't have any, then just create one.
You'll just need a Gsuite or Cloud Identity account.

You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy

I checked the IAM & admin in the GCP console UI. I have two roles: (Company name) Project Owner and Editor. The member is my company email address.
But when I try to edit(the edit button) other people's roles and permissions, I got below message:
You need permissions for this action.
Required permission(s): resourcemanager.projects.setIamPolicy
My (Company name) Project Owner role is granted by the project manager. It seems I only have Editor role permission.
Update
I have an organization like this:
company.com
project_a
project_b
For project_b, I have the roles described above and meet this issue.
When I check the Over granted permissions(click 1489/1601) of (Company name) Project Owner, I got this:
There is no recommendation available at this time for this binding. However, you do not have permission to view the analysis of the current role definition.
But I can check Over granted permissions for Editor Role. I can only give as much information as I can

As mentioned in the comments, Project Owner is not one of the Primitive Roles for projects in GCP. It's most likely that Project Owneris a Custom Role created to provide access to users in your Organization.
The permission resourcemanager.projects.setIamPolicyis only contained in the following Roles:
Primitive Roles:
Owner (roles/owner)
Predefined Roles:
Security Admin (roles/iam.securityAdmin)
Folder Admin (roles/resourcemanager.folderAdmin)
Organization Administrator (roles/resourcemanager.organizationAdmin)
Project IAM Admin (roles/resourcemanager.projectIamAdmin)
You can learn more about which permissions are included with every of these roles in the Cloud IAM Documentation. I would suggest to ask an Organization Administrator to assign the role Project IAM Admin to your user, as this role is very specific to provide permissions to administer Cloud IAM policies on projects only. They could also add the individual roles to the custom Project Owner role, and this would allow anyone in the organization who has the role assigned to manage IAM policied within their projects.

There are a few things happening here:
1.
(Company name) Project Owner is a custom role saved on the Organization node. You need to either have roles/iam.roleViewer or roles/iam.securityReviewer on that custom role in order to see its details, such as the number of permissions.
It's greyed out because there is no recommendation. This can be because of one of these reasons
Hi, there are a few things happening here:
1.
(Company name) Project Owner is a custom role saved on the Organization node. You need to either have roles/iam.roleViewer or roles/iam.securityReviewer on that custom role in order to see its details, such as the list of permissions.
It's greyed out because there is no recommendation. This can be because of one of these reasons: https://cloud.google.com/iam/docs/recommender-overview#availability
Hope that helps!

AWS root account cannot access organizational accounts

I am writing an application for AWS platform, which was planned to be launched from the root account, with root credentials. At this point I need to stop some of the machines started by the AWS organizations member accounts.
By default AWS organizations doesn't give access to root account to look or manage resources to other member's account. So I tried using temporary credentials and tried to assume a role created by the target account.
More on that here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
On the other hand it doesn't allow root account to assume roles, and throws such exception.
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7bee7537-48e0-11e9-bb1a-bb36134736e4)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) ~[aws-java-sdk-core-1.11.475.jar:na]
at...
Is there any way get around this problem? For example, somehow to give the root access to everything or let it assume roles?

Firstly, please don't use your Root account! Best practice is to remove access keys from the root account, add an MFA token and lock it away. We have a large AWS Organization structure and we don't use the root accounts for anything other than where it's absolutely required.
See the IAM Best Practices user guide, specifically the section: Lock Away Your AWS Account Root User Access Keys
For your described administrative purposes, use IAM Users
IAM Users can assume Roles. Recommended steps:
Create IAM Group and attach the required policy for admin permissions. The AdministratorAccess policy is an easy pre-built policy that gives full admin access within the current account, but to assume roles into sub-accounts, all you really need to allow is the sts:AssumeRole action.
Creating Your First IAM Admin User and Group
Granting a User Permissions to Switch Roles
Create an IAM User and assign it to the IAM Group.
Adding and Removing Users in an IAM Group
Create the target Role in your sub-accounts with a Policy to allow actions in that sub-account and with a Trust Relationship defined for your IAM user in the master Org account.
Creating a Role to Delegate Permissions to an IAM User
NOTE: Sounds like you may already have this, but check the trust relationship to make sure.
Authenticate your app via IAM user credentials, temp credentials, etc.
NOTE: The temp credentials doc that you linked is for IAM Users, I'd recommend trying it again once you have a proper IAM user setup.
There are many ways to authenticate to AWS services, as another example see: Assuming an IAM Role in the AWS CLI
Additional: Not sure what you're building, but if appropriate, Consider Using Service-linked Roles to directly provide the app the specific permissions it needs--rather than dealing with user credentials.

Vault GCP Project Level Role Binding

I am trying to apply the role binding below to grant the Storage Admin Role to a GCP roleset in Vault.
resource "//cloudresourcemanager.googleapis.com/projects/{project_id_number}" {
roles = [
"roles/storage.admin"
]
}
I want to grant access to the project level, not a specific bucket so that the GCP roleset can access and read/write to the Google Container Registry.
When I try to create this roleset in Vault, I get this error:
Error writing data to gcp/roleset/my-roleset: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-roleset
Code: 400. Errors:
* unable to set policy: googleapi: Error 403: The caller does not have permission
My Vault cluster is running in a GKE cluster which has OAuth Scopes for all Cloud APIs, I am the project owner, and the service account Vault is using has the following permissions:
Cloud KMS CryptoKey Encrypter/Decrypter
Service Account Actor
Service Account Admin
Service Account Key Admin
Service Account Token Creator
Logs Writer
Storage Admin
Storage Object Admin
I have tried giving the service account both Editor and Owner roles, and I still get the same error.
Firstly, am I using the correct resource to create a roleset for the Storage Admin Role at the project level?
Secondly, if so, what could be causing this permission error?

I had previously recreated the cluster and skipped this step:
vault write gcp/config credentials=#credentials.json
Adding the key file fixed this.
There is also a chance that following the steps to create a custom role here and adding that custom role played a part.