I have created a ServiceAccount and a custom role from the GCP console.
However when trying to associate them, it fails as below:
gcloud projects add-iam-policy-binding my-project \
--member serviceAccount:cloudrun-poc#my-project.iam.gserviceaccount.com \
--role roles/MyCustomRole
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/ClusterUpscaler is not supported for this resource.
any ideas why?
You might have to create role MyCustomRole before attempting to assign it. No clue what it complains about role ClusterUpscaler, but there might not be a cluster present in that project... besides custom roles usually have names alike projects/{project-id}/roles/{role-name}. They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
You could run gcloud alpha iam policies lint-condition as the output suggests. For me, it was a missing gcloud command "Alpha".
Related
I am trying to assign below role to group in Gcp
Role : - Service Consumer
role id: - roles/servicemanagement.serviceConsumer
Command:-
gcloud projects add-iam-policy-binding Project_id --member=group:group1 --role=roles/servicemanagement.serviceConsumer
Error : -
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role (roles/servicemanagement.serviceConsumer) does not exist in the resource's hierarchy.
It appears the the service management roles are only applicable to Cloud Endpoints services:
gcloud endpoints services add-iam-policy-binding ${SERVICE} \
--member:group:${GROUP_EMAIL} \
--role=roles/servicemanagement.serviceConsumer
See: https://cloud.google.com/service-infrastructure/docs/service-management/access-control#managing_access_using_cloud_sdk
NOTE (Google) Groups values should be an email address of the form name#somewhere.com.
I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?
To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.
You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.
You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).
I am trying to remove a certain permission on google cloud functions using a for loop in gitlab ci.
for i in ${!CFS[#]}; do
gcloud functions remove-iam-policy-binding ${API_VERSION}-${CFS[$i]} --member=${MEMBER} --role=${ROLE}
done
The issue is that if the resource does not have the given role, for the member I am getting an error.
ERROR: (gcloud.functions.remove-iam-policy-binding) Policy binding with the specified member and role not found!.
I want to avoid this situation by checking if the member has the given role on the resource before executing the remove-iam-policy-binding gcloud command. Is there a way to check if a permission exists for a member on a given resource before removing it?
I was able to achieve this using the gcloud functions get-iam-policy and filtering the permission and role I wanted. If the role is set for the given user then I remove it.
for mem in $(gcloud functions get-iam-policy ${CFS[$i]} --flatten="bindings[].members" --filter="bindings.role:roles/cloudfunctions.invoker" --format="value(bindings.members)")
do
echo $mem
gcloud functions remove-iam-policy-binding ${CFS[$i]} --member=$mem --role="roles/cloudfunctions.invoker"
done
I'm following the Google GKE and SQL with terraform tutorial
But I'm not able to create a google_project.project.
I have tried both as the owner of the project and as the service described in the tutorial. Both attempts end with this error:
Error: Error applying plan:
1 error(s) occurred:
* google_project.project: 1 error(s) occurred:
* google_project.project: error creating project terraform-dev-357aa670
(terraform-dev): googleapi: Error 403: User is not authorized., forbidden.
If you received a 403 error, make sure
you have the `roles/resourcemanager.projectCreator` permission
I would think that I had the correct permissions as the project owner, but apparently not.
Here's how I created the service account:
$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform#${TF_ADMIN}.iam.gserviceaccount.com \
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
- domain:my-domain.no
role: roles/billing.creator
- members:
- serviceAccount:terraform#my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform#my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/billing.user
- members:
- domain:min-familie.no
- serviceAccount:terraform#my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform#my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d
Creating a project "manually" works.
$ gcloud projects create ${TF_ADMIN}.
Any ideas what might be wrong?
In order to create folders and projects, your account need to have the respective permissions and, of course you need to make sure that you are using the right account.
First make sure the user has the right permissions:
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/billing.admin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.folderCreator
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.projectCreator
Then make sure you set the application defaults and login to exactly this account:
gcloud auth application-default login
The set a project that the API calls will be billed to by default. Read more about this here. If you don't set this, you might get a quota error when you run terraform apply.
gcloud auth application-default set-quota-project SOME_BILLING_PROJECT
I had exact same problem!
Steps that solved this problem for me:
Downloaded the key for that Service Account (Using GCP Console) to : /Users/johndoe/sa.json
export GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json
terraform apply
Hope this works for you.
Found the solution from Seth Fargo here:
https://github.com/sethvargo/vault-on-gke/issues/16
I created a specific service account in GCP for provisioning clusters in my project :
gcloud iam service-accounts create [sa_name]
gcloud projects add-iam-policy-binding \
[project_id] \
--role=roles/container.admin \
--member=serviceAccount:[sa_name]#[project_id].iam.gserviceaccount.com
gcloud iam service-accounts keys create [keyfile_name] \
--iam-account=[sa_name]#[project_id].iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=[keyfile_name]
When I run the command gcloud container clusters create [cluster_name]
I always get :
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Required "container.clusters.create" permission(s) for
"projects/context-platform-staging". See
https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted
for more info.
As you can see, I use roles/container.admin but I even tried to apply the roles/editor and roles/owner to this service account, same behavior.
The only way this command works so far is to use my main google owner account (not a service account).
What am I missing here ?
From the error message, I understood that the service account does not have the permission "container.clusters.create".
Please add the "Container Engine Cluster Admin" and also "Container Engine Admin" roles on the service account that the cluster is being created with:.
To create a cluster, you need both "container.clusters.create" permission on the project. You also need to assign the role “roles/iam.serviceAccountUser” to the user who will use the service account. In this way, the user can access GKE's service account.
For more information and in-depth tutorial, please refer to this article in the GCP documentation.