I have two vm instance . I want to give permission as compute admin to different users for both machines. Means two different owner of two Instance.
At Google Cloud Next 2018, Google announced Compute Engine resource-level IAM.
Inside a same project, you can now grant directly different roles to your Compute VMs to different users. If your use-case is to have 2 users (user1#mydomain.com and user2#mydomain.com), each one admin of a specific instance (relatively instance1 and instance2), you can define the following YAML files :
# instance1_policy.yaml
bindings:
- members:
- user:user1#mydomain.com
role: roles/compute.admin
and
# instance2_policy.yaml
bindings:
- members:
- user:user2#mydomain.com
role: roles/compute.admin
And apply the policies (merge the following files with the existing VMs IAM policies if you need so, check by using gcloud compute instances get-iam-policy before) :
gcloud compute instances set-iam-policy --zone=<INSTANCE1_ZONE> instance1 instance1_policy.yaml
gcloud compute instances set-iam-policy --zone=<INSTANCE2_ZONE> instance2 instance2_policy.yaml
Note also that IAM policies applying on your project can interfer with these policies. For example, if user1#mydomain.com have roles/compute.admin role on the project, then he may also have access to instance2, "ignoring" your policy on instance2 VM (he have inherited roles/compute.admin role from the project).
Related
I'm trying to setup an auto stop/start of some of my VMs in GCP and I already have an VM admin permission but when adding a VM to a instance schedule created I'm getting below error:
Compute Engine System service account service-5424xxxxxxx#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation.
The problem is that the service service-5424xxxxxxx#compute-system.iam.gserviceaccount.com does not have a role that contains the permissions compute.instances.start and compute.instances.stop.
The following roles contain that permission:
Compute Instance Admin - roles/compute.instanceAdmin
Compute Instance Admin (v1) - roles/compute.instanceAdmin.v1
Use the Google Cloud Console GUI to add the desired role or use the CLI:
gcloud projects add-iam-policy-binding REPLACE_WITH_PROECT_ID \
--member "serviceAccount:service-5424xxxxxxx#compute-system.iam.gserviceaccount.com" \
--role "roles/compute.instanceAdmin.v1"
Of course, use the correct service account email address.
Is there a way to define an IAM policy or custom role to allow access to certain cloud storage buckets for a project instead of having to add the user for each individual bucket?
Create a custom role as per your requirement and write a shell script to grant a role to a member.
Example -
#!/bin/bash
members=(member1 member2 member3)
for i in “${members[#]}”
do
gcloud projects add-iam-policy-binding my-project \
--member=user:$i --role=role-id
done
The above script will bind the role to members.
gcloud command -
gcloud group add-iam-policy-binding resource \
--member=member --role=role-id
Group: The gcloud tool group for the resource you want to update. For
example, you can use projects or organizations.
resource: The name of the resource.
Member: An identifier for the member, An identifier for the member,
For example, user:my-user#example.com/.
I am trying to launch a notebook instance in AI platform but getting this error:
You are missing at least one of the following required permissions:
Project
compute.instances.list
But for the current project within the role as defined by project owner this permission has already been given apart from other compute instance permissions.
But still gives the permission error.
Thanks for help in advance
The service account used to create a notebook instance in Google AI platform is the default Compute Engine service account which has the primitive roles/editor.
Permission: Compute Engine default service account
The Compute Engine default service account is created with the Cloud
IAM project editor role, but you can modify the service account's
roles to securely limit which Google APIs the service account can
access.
You can check that the roles/editor includes compute.instances.list :
gcloud iam roles describe roles/editor | grep compute.instances.list
For troubleshooting check:
If you have the default compute service account:
gcloud iam service-accounts list | grep compute#developer.gserviceaccount.com
gcloud iam service-accounts describe your-project-number-compute#developer.gserviceaccount.com
Check the roles of the default compute service account:
gcloud projects get-iam-policy your-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:your-project-number-compute#developer.gserviceaccount.com"
Assuming you are the owner of the project, you should be able to create a new notebook instance with the default compute engine service account.
i have accidently deleted my Service accounts on gcp that was created on the time of compute API enabling , now i disabled and enabled it many times but its not creating new Service accounts .
now i am getting this error :
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? YERROR: (gcloud.compute.instances.create) Could not fetch resource: - The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
deactivate the compute API
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? Y
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
To have the Compute Engine default service account back after its accidental deletion you must contact the Compute Engine team as it’s explained in the following documentation.
Meanwhile, if you want to keep working on that project, you can create another service account and associate it with the same role, for example, that the Compute Engine default service account had.
This role, named editor, is of the primitive type and you can find more about it here.
In this way, you will be able to create Compute Engine instances. Just follow this steps:
Set some variables;
zone=us-central1-b
PROJECT_NUMBER=$(gcloud projects describe $DEVSHELL_PROJECT_ID --format="value(projectNumber)")
sa_name=no-clone-$PROJECT_NUMBER-compute
Create a new service account and update project IAM policy by adding to it a binding between that service account and the primitive role explained above;
gcloud iam service-accounts create $sa_name --display-name="Work around deletion of Compute Engine default service account"
sa=$(gcloud iam service-accounts list --filter=$sa_name --format="value(email)")
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member="serviceAccount:$sa" --role="roles/editor"
Create a new instance with the newly-created service account and test it out;
gcloud compute instances create test01 --zone=$zone --quiet --service-account=$sa
gcloud compute ssh test01 --zone=$zone --command="cat /etc/os-release"
For more background in Identity and Access Management refer to this documentation.
Try using gcloud app repair:
gcloud beta app repair - restores required App Engine features to the current application
I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:
$ gcloud projects get-iam-policy myproject
bindings:
- members:
- serviceAccount:123456789012-compute#developer.gserviceaccount.com
role: roles/editor
- members:
- user:me#myemail.com
role: roles/owner
- members:
- serviceAccount:bucket-viewer-service-account#myproject.iam.gserviceaccount.com
role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1
I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:
$ gcloud iam service-accounts add-iam-policy-binding \
bucket-viewer-service-account#myproject.iam.gserviceaccount.com \
--member='user:test.gcp1#myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
- user:user:test.gcp1#myemail.com
role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=
Is that all I have to do so that the user test.gcp1#myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?
I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.
The iam.serviceAccountActor role gives users the ability to create and manage compute engine instances that use a service account.
I could be misunderstanding something, but if you want to give someone permission to directly act as a service account, the most straightforward way would probably be to create a private key file for the service account that represents that particular user acting as that service account, and then giving them that private key file.
Giving a user the Service Account Actor role does not give access transitively, like you're suggesting. Instead, it allows a user to "use" the service account to start long-running jobs (e.g. creating a compute engine instance) that have that service account as an identity.
iam.serviceAccountActor role deprecated, you need to use Service Account User role
See More details
Apparently, the test.gcp1#myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:
Create "Keys" for your service account:
gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME#PROJECT-ID.iam.gserviceaccount.com
Load the "Keys" in your terminal by adding the following environment variable (in .bashrc or equivalent file for your OS):
export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"
Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.
PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (i.e. privileges/policies) added and make sure to delete the keys when they are no longer required.