How can I make AI Platform deployed model publicly accessible? - google-cloud-ml

I have created a model and deployed it to Cloud AI Platform Predictions (ML Engine).
How can I make the REST end-point publicly accessible? Right now, it is visible only within my project.

First create a policy.yaml with the following contents:
bindings:
- members:
- group:allAuthenticatedUsers
role: roles/ml.modelUser
Then, set the IAM policy of the model:
gcloud ai-platform models set-iam-policy my_model --project=my_project policy.yaml
You can use the same method to restrict to a specific Google Group of users from a specific domain
bindings:
- members:
- group:admins#example.com
- domain:example.com
role: roles/ml.modelUser
- members:
- user:sean#example.com
role: roles/ml.modelUser

Related

Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run

When I try to deploy my docker image on cloud run with the command:
gcloud run deploy --image $MULTI_REGION/$PROJECT/$IMAGE --memory $MEMORY --region $REGION --env-vars-file .env.yaml
I got the error message :
Deploying container to Cloud Run service [image-name] in project [wagon-bootcamp-352706] region [europe-west1]
X Deploying new service...
. Creating Revision...
. Routing traffic...
. Setting IAM Policy...
Deployment failed
ERROR: (gcloud.run.deploy) User [demange.louis#hotmail.fr] does not have permission to access namespaces instance [wagon-bootcamp-352706] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account 942802053669-compute#developer.gserviceaccount.com (or it may not exist).
To check the permissions of the project, I use gcloud projects get-iam-policy wagon-bootcamp-352706:
bindings:
- members:
- serviceAccount:service-942802053669#gcp-sa-artifactregistry.iam.gserviceaccount.com
role: roles/artifactregistry.serviceAgent
- members:
- serviceAccount:service-942802053669#containerregistry.iam.gserviceaccount.com
role: roles/containerregistry.ServiceAgent
- members:
- user:demange.louis#hotmail.fr
role: roles/iam.serviceAccountUser
- members:
- serviceAccount:service-942802053669#cloud-ml.google.com.iam.gserviceaccount.com
role: roles/ml.serviceAgent
- members:
- user:demange.louis#hotmail.fr
role: roles/owner
- members:
- serviceAccount:service-942802053669#gcp-sa-pubsub.iam.gserviceaccount.com
role: roles/pubsub.serviceAgent
- members:
- serviceAccount:service-942802053669#serverless-robot-prod.iam.gserviceaccount.com
role: roles/run.serviceAgent
- members:
- user:demange.louis#hotmail.fr
role: roles/storage.admin
- members:
- user:demange.louis#hotmail.fr
role: roles/storage.objectAdmin
- members:
- user:demange.louis#hotmail.fr
role: roles/storage.objectCreator
I also checked that the project 'wagon-bootcamp-352706' was the good one.
I also checked in container registry that my image 'image-name' was well pushed :
image-name eu.gcr.io Private
As a conclusion, permissions should be effective, no problem with the previous push, no problem with the project name. The only thing which remains unclear is this 'account 942802053669-compute#developer.gserviceaccount.com' which is mentioned in the error message, it does not belong to me and I don't know what it is. Does someone have an idea of the problem ? Thanks in advance.
Best regards,
Louis Demange
The issue is that the Service Account 942802053669-compute#developer.gserviceaccount.com does not exist because the Compute Engine API has not been enabled (maybe) or you have deleted it.
You have two options:
Enable the Compute Engine API by going for example to Compute Engine section.
If you deleted the Compute Engine default SA you can recover it (if it was deleted at most 30 days ago) or use another Service Account that exists to be used with Cloud Run.

How to add IAM Condition access using Google Deployment Manager

I was trying to setup for GCS bucket using deployment manager template but cannot find how to setup condition.
https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/dm/templates/gcs_bucket/gcs_bucket.py
As advised by Tanjin the code snippet is already included in the namespace you have shared.
You will also need to add the accessControl section to the top-level configuration for each resource for which you want to apply access control policies.
Here is the code sample:
resources:
- name: a-new-pubsub-topic
type: pubsub.v1.topic
properties:
...
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "user:alice#example.com"
- role: roles/pubsub.publisher
members:
- "user:jane#example.com"
- "serviceAccount:my-other-app#appspot.gserviceaccount.com"
You can also check this link for the official GCP guide on that setup.

Google Cloud VM instance Share

I have two vm instance . I want to give permission as compute admin to different users for both machines. Means two different owner of two Instance.
At Google Cloud Next 2018, Google announced Compute Engine resource-level IAM.
Inside a same project, you can now grant directly different roles to your Compute VMs to different users. If your use-case is to have 2 users (user1#mydomain.com and user2#mydomain.com), each one admin of a specific instance (relatively instance1 and instance2), you can define the following YAML files :
# instance1_policy.yaml
bindings:
- members:
- user:user1#mydomain.com
role: roles/compute.admin
and
# instance2_policy.yaml
bindings:
- members:
- user:user2#mydomain.com
role: roles/compute.admin
And apply the policies (merge the following files with the existing VMs IAM policies if you need so, check by using gcloud compute instances get-iam-policy before) :
gcloud compute instances set-iam-policy --zone=<INSTANCE1_ZONE> instance1 instance1_policy.yaml
gcloud compute instances set-iam-policy --zone=<INSTANCE2_ZONE> instance2 instance2_policy.yaml
Note also that IAM policies applying on your project can interfer with these policies. For example, if user1#mydomain.com have roles/compute.admin role on the project, then he may also have access to instance2, "ignoring" your policy on instance2 VM (he have inherited roles/compute.admin role from the project).

How to allow Allow full access to all Cloud APIs (For Cloud API access scopes) from Deployment jinja template in google cloud platform

I am new to GCP and want to create a Test drive. I have been trying to create a VM instance from an existing image from a deployment template and am successful in doing so. I followed This doc, but I want to allow full access to all Cloud APIs for Cloud API access scopes.This is the image which shows the feature of VM instance.
I want to enable it from my jinja template file (YML format file)
You have to setup up the appropriate scope for your serviceAccounts when you create the instance:
- name: {{ vmName }}
type: compute.v1.instance
properties:
...
serviceAccounts:
- email: default
scopes:
- https://www.googleapis.com/auth/cloud-platform
...
use cloud-platform scope to allow full access to all Cloud APIs.
You need to add the --scope flag. If you exclude this flag, the instance is created with default API access. The --scope flag is followed by a comma separated list of scope aliases or URLs. You'll have to list each API you want enabled on the instance.

How can I allow a user to become an actor of a service account in Google Cloud Platform (GCP)?

I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:
$ gcloud projects get-iam-policy myproject
bindings:
- members:
- serviceAccount:123456789012-compute#developer.gserviceaccount.com
role: roles/editor
- members:
- user:me#myemail.com
role: roles/owner
- members:
- serviceAccount:bucket-viewer-service-account#myproject.iam.gserviceaccount.com
role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1
I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:
$ gcloud iam service-accounts add-iam-policy-binding \
bucket-viewer-service-account#myproject.iam.gserviceaccount.com \
--member='user:test.gcp1#myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
- user:user:test.gcp1#myemail.com
role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=
Is that all I have to do so that the user test.gcp1#myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?
I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.
The iam.serviceAccountActor role gives users the ability to create and manage compute engine instances that use a service account.
I could be misunderstanding something, but if you want to give someone permission to directly act as a service account, the most straightforward way would probably be to create a private key file for the service account that represents that particular user acting as that service account, and then giving them that private key file.
Giving a user the Service Account Actor role does not give access transitively, like you're suggesting. Instead, it allows a user to "use" the service account to start long-running jobs (e.g. creating a compute engine instance) that have that service account as an identity.
iam.serviceAccountActor role deprecated, you need to use Service Account User role
See More details
Apparently, the test.gcp1#myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:
Create "Keys" for your service account:
gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME#PROJECT-ID.iam.gserviceaccount.com
Load the "Keys" in your terminal by adding the following environment variable (in .bashrc or equivalent file for your OS):
export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"
Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.
PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (i.e. privileges/policies) added and make sure to delete the keys when they are no longer required.