I am trying to find in the official GCP documentation the exact permission (not Role) that corresponds to the ability to invoke this command
gcloud container clusters resize
The list does not include such a permission.
Any suggestion about the least privilege that needs to be granted for such an operation?
gcloud container clusters resize operation probably needs the caller to have container.clusters.update permission. You can find this permission in the following predefined roles :
Kubernetes Engine Admin (roles/container.admin)
Kubernetes Engine Cluster Admin (roles/container.clusterAdmin)
See Kubernetes Engine roles. I have not listed other roles containing this permission because they are too broad (roles/owner, roles/editor) or not appropriate (roles/composer.worker).
Based on the principle of least privilege and if you want to keep things simple using predefined roles, your user only needs to be granted roles/container.clusterAdmin because roles/container.clusterAdmin role contains a subset of roles/container.admin permissions.
Additionally, if you want/need to be more restrictive, you could also create a custom role with only the permission you need.
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.
At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles.
I search for the permission, then scroll up to the see the role name and all the other permissions in that role.
It works but is slow for what must be a common task.
Is there a better web page or a gcloud api command that would work better.
The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.
In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:
gcloud iam roles describe roles/iam.roleViewer
The command will output:
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer
AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.
Based on GCP documentation one can check the pre-defined roles given a permission
I'm trying to list all my GCP projects under the organization using IAM Custom Role and assign it to my new Service Account.
Could you let me know what exactly permissions should I add to this role for fine-grained access?
I also don't want to use these default permissions:
roles/viewer
roles/editor
roles/owner
According to Google's documentation about access control for projects :
When creating a Custom Role for use with Resource Manager, be aware of the following points:
List and get permissions, such as resourcemanager.projects.get/list, should always be granted as a pair.
When your Custom Role includes the folders.list and folders.get permissions, it should also include projects.list and projects.get.
So in order to be able to list every projects of an organisation, you'll need to provide the following permissions to your Custom Role:
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.folders.get
resourcemanager.folders.list
Also, please note that the predefined role roles/browser regroup most of this scope without being overly permissive.
Granting new rights to a user or a Service Account is not necessarily immediate and may take up to 5/10min in order to be propagated.
I want to run my google cloud server everyday on specific times. I set up an instance schedule for that but when i try to link my vm to the schedule it gives me the following error:
Compute Engine System service account service-390738840624#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start] permissions applied in order to perform this operation.
Does anyone know how to solve this?
The service account service-390738840624#compute-system.iam.gserviceaccount.com does not have a role with the permission compute.instances.start.
The following IAM roles have the required permission:
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
The following command will add the first role to the service account:
Replace $PROJECT_ID with your Project ID (not the project name).
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:service-390738840624#compute-system.iam.gserviceaccount.com \
--role roles/compute.instanceAdmin
Your account for which you are running the command, must have the privilege to grant/modify IAM roles on a service account. If you do not have the correct permissions, you will need to ask the Project Owner or Editor to perform this for you.
The CLI answer works but in case you dont use terminal here are the steps directly on the platform:
go to IAM
on the right side of the screen select "Include Google-provided role grants"
Find Principal that contain text "compute-system.iam.gserviceaccount.com"
edit (with little pen on the right)
from the popup shown select "+Add another role", select role "Compute Instance Admin" (can show beta or v1 in the brackets)
this fixed my issue
In order to complete the task, GCP is asking you to give the service account “service-390738840624#compute-system.iam.gserviceaccount.com” access to use “compute.instances.start” but the service account doesn't have the right permissions to execute the task.
When you set up an instance to run as a service account, you determine
the level of access the service account has by the IAM roles that you
grant to the service account. If the service account has no IAM roles,
then no API methods can be run by the service account on that
instance.
To grant, change, and revoke access to a single service account, please refer to this guide.
Be aware that to manage access to a service account, you need a role that includes the following permissions:
*iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy*
If you want to know which are the permission included in your account, please refer to this guide.
If you don't have the appropriate access to grant permissions, please refer to your system administrator.
To know more about compute engine roles and permissions, please follow this link.
If you wish to know more about services accounts, please follow this link.
To know more about the process of scheduling compute instances with Google Scheduler, please follow this link.
I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?
You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the gcloud CLI you can create a custom role with
gcloud iam roles create, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer, for the
project ID example-project-id-1, containing only the permission
storage.buckets.get. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1#example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1 with your project ID, and
test-proj1#example.domain.com with the actual name of the service
account you want to assign the role to.
You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.