I have created a notebook instance in Google Cloud AI Platform.
I must be missing something super obvious, but could someone tell me how to give a user account permission to access to JupyterLab. I can access it myself in my google account but other users cannot, even with Compute Engine Admin set.
When the user clicks on "Open Jupyter Lab" on the instance, a 403 appears.
Thanks,
Currently, the only role accepted to access an AI Platform Notebook is the project Editor role; therefore, you must grant this role to the users who want to access your Jupyter Notebook.
Additionally, there is a Feature Request filed with the AI Platform team requesting more granular/restrictive permissions to access an AI Platform Notebook.
It seems like iam.serviceAccountUser in combination with compute.admin is sufficient now.
I was able to create a no permission service account and then use that to create a new AI Platform Notebook instance. Please ensure that [notebooks.googleapis.com] API is enabled on your project. Once the notebook is created , you can visit the JupyterLab URL. When you try to do any operation from the JupyterLab console, it gives error because the service account doesn't have any permission. You can now associate the required roles/permission to the service account that would be needed to perform your data science application like GCS Read/Write , BQ Read/Write etc.
If you want to share the URL with team member without they accessing the AI Platform Notebook Page, you can do so by associating "iam.serviceAccounts.actAs" permission to the service account.
Related
I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm.
His account is under his personal email abc..#gmail.com
What exact permissions do I need to give him?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.
Related:
52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance(
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
If the person has #gmail.com domain then he is an external user and needs to be given external user permission.
Go to IAM & Admin -> From the Project menu select All and click the top organization:
Add the Compute OS Login External User
Now under the project Add the following:
Add Project - Viewer
Add Compute Engine - Service Account User
[optional]Add Compute Engine -Compute View
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.
And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"
Open the instance, click edit and enable OS-Login under Metadata. Add the following
Key: enable-oslogin
Value: TRUE
Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.
If you need to manage user access to your Linux VM instances, you can use one of the following methods:
OS Login
Managing SSH keys in metadata
Temporarily grant a user access to an instance
To give a user the ability to connect to a VM instance using SSH
without granting them the ability to manage Compute Engine resources,
add the user's public key to the project, or add a user's public key
to a specific instance. Using this method, you can avoid adding a user
as a project member, while still granting them access to specific
instances.
More information about granting users SSH to VM instances can be found here.
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.
More information about Access control for users in Cloud compute Engine here.
About roles and permissions
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.
The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.
On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.
Hi I have a google email account that I use the get into a GCP project, I am trying to read a BigQuery table via a Notebook but when I try to read this table via the notebook I see this error;
Access Denied: Table project-name:data_warehouse_us.partnerize_data_clicks: User does not have permission to query table project-name:data_warehouse_us.partnerize_data_clicks. [accessDenied]
Traceback:
I go into the IAM settings, and I see the email account I use to access it and it has these 3 roles, `"BigQuery Admin" "BigQuery Data Owner" "BigQuery Job User" do I need to add another role to be able to read/write/delete access to the tables? or is there another place I need to go to be able to fix this error?
thanks
Posting as answer confirmed by #JuanLozano. Notebooks uses a service account to authorize requests. While you may set those permission to your email account, you still have to set those permission to the service account that your Notebook uses.
Check the defined service account to the Notebook, and then add the necessary permissions too it.
... without giving access to everything in project with Roles like Editor.
Apparently giving access to Notebooks Admin is not sufficient. User gets 403 error.
Turns out that authentication for the notebook proxy that is automatically set up by google requires that user has access to use the default compute service account. So, apart from giving proper role like Notebooks Admin. You need to:
Locate the default compute service account for your project
Give user in question access to Role "Use Service Account" on the service account permissions tab.
I want to give a GCP VM access to Cloud Source Repository but without having to shutdown the VM because I have some processes running. Is this possible or I need to wait until the processes are done, turn off the VM and grant the permissions needed? How can I achieve this? Sorry for the naive question, I'm still learning how to use well GCP products :(.
You can go to IAM & Admin > IAM and look for the service account used by your Compute Engine instance. If you're using the default service account, this is the format:
PROJECTNUMBER-compute#developer.gserviceaccount.com
Afterwards, click "Edit Member" then select a role and look for "Source". You should be able to see these following roles:
Source Repository Administrator
Source Repository Writer
Source Repository Role
Select which role is best for your use case then hit save.
I have one person (a) who is in charge of administrating our Windows instances on Google Cloud and another person manages our Ubuntu instances. I want to allow the first person to have permission to start, stop, reset, change metadata / instance-size and login as admin on the Windows instances, but I don't want them to have access to perform those actions on any of the Ubuntu instances. All of the instances are part of the same project.
Is there any way to grant such permissions at an instance-level, without granting them for all instances in the project?
Google Compute Engine supports specifying the service account to use for the instance.
I recommend creating a new service account, assigning the Project Editor role and then assign that service account to instances that require this level of permission.
I do not recommend using Compute Engine Scopes to control permissions. Specify the desired roles for the service account, assign the service account to Compute Engine and specify "Allow full access to all Cloud APIs". The actual permissions will be controlled by the service account roles. Scopes are too granular in some cases.
I wrote an article that dives deeper into Compute Engine service accounts.
Google Cloud – Compute Engine Service Accounts
GCP allows one to provide fine grained permissions on Compute Engine instances. This appears to be well documented in the documentation found at:
Granting access to Compute Engine resources
At the highest level, we can assign permissions either through Cloud Console or through the gcloud command.
I was having trouble finding a way to do this because it is not available from the "IAM" section on Google Cloud. However, you can assign instance-specific roles and permissions form the Cloud Engine - VM Instances Page:
Go to the Computer Engine VM Instances page: https://console.cloud.google.com/compute/instances
Click the checkbox beside the instance(s) to which you want to assign instance-specific roles.
Click on "Show Info Panel".
On the "Info Panel" on the right side of the screen under "Permissions" click "Add Members".
Select the members / roles you want to assign and click "Save".