I am going thru a Qwicklabs tutorial on GCP IAM.
At some point, it mentions that
Use the gcloud iam list-grantable-roles command to return a list of
all roles that can be applied to a given resource.
However the example cited lists the grantable roles by going throughout the entire project:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/$DEVSHELL_PROJECT_ID
Is there a way to run the above command but only on a specific resource, say Stackdriver or BigQuery ?
Is there a way to run the above command but only on a specific
resource, say Stackdriver or BigQuery ?
Yes. From the following examples, you should notice a naming pattern.
This link is Google's document on resource naming.
If you want to go deeper than the project then you must specify an actual resource. You cannot just specify BigQuery, you must specify the dataset in BigQuery. For Stackdriver you must specify an actual log name.
For some resources, gcloud provides the command-line option --uri. This will display the resource name:
gcloud compute instances list --uri
Note: The command line option --uri is not supported for all commands. Neither logging nor Biquery support --uri.
Compute Engine:
gcloud iam list-grantable-roles //compute.googleapis.com/projects/[PROJECT_ID]/zones/[ZONE]/instances/[VM_NAME]
BigQuery:
gcloud iam list-grantable-roles //bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]
Stackdriver Logging:
gcloud iam list-grantable-roles //logging.googleapis.com/projects/[PROJECT_ID]/logs/cloudbuild
Related
I'm using gcloud projects add-iam-policy-binding ... command to add role: roles/bigquery.jobs.create (because this is necessity if you want to be able to run query in BigQuery GCP project).
I get an output:
INVALID_ARGUMENT: Role roles/bigquery.jobs.create is not supported for this resource.
Problem here is I'm unable to set this through bq CLI as well, because it seems like permissions can be added on table/dataset level only. Anyone knows the possible solution (unix shell)?
The IAM role you mentioned in the question does not exist. It is a permission rather than a role.
The list of roles and their descriptions are provided in the BigQuery Predefined IAM roles
Hi I am a newbie and would greatly appreciate some help.
I am trying to analyze the current roles/permissions in the current GCP projects and consolidate the different roles/permissions in use today. There are many projects. Is there a way to check all of them?
One way to check the inuse role of a certain project is using this command in your cloud shell:
gcloud projects get-iam-policy <project_id> | grep role
The command:
gcloud projects get-iam-policy <PROJECT_ID_OR_NUMBER>
lists the IAM policy of a project. It contains users and their specific roles in that project.
grep role
reduces the output of the 1st command to roles for readability purposes.
If you want to see full output with users and service account and their corresponding roles, you may remove the grep role command.
To check out for more details regarding iam policy you may refer to this GCP documentation for project level:
https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy
I'm trying to attach a new disk to an existing instance.
I'm able to create the disk, however, when I try to attach it, it fails with the following error:
The resource 'xyz-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
What is preventing me here, and how can I add a disk?
The information requested by John Hanley would be very helpful to narrow down the issue and provide an accurate response to your question, however, that error message is typically shown when the Compute Engine default Service Account was deleted, if that is the case you have 3 possible options:
a) If the Service Account was deleted less than 30 days ago, it might be still possible to recover it using the command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The output of that command should look like this:
restoredAccount:
email: sa-name#project-id.iam.gserviceaccount.com
etag: BwWWE7zpApg=
name: projects/project-id/serviceAccounts/sa-name#project-id.iam.gserviceaccount.com
oauth2ClientId: '123456789012345678901'
projectId: project-id
uniqueId: 'account-id'
You can follow the steps here, in order to recover it.
b) If it has been more than 30 days and undeleting is not possible, you will have to create a new Service Account and set it as the default Compute Engine Service Account. The steps for this would be:
Create a new Service Account with the name of your choice
You can do it through Cloud console by navigating to IAM -> Service Accounts page and clicking on '+ Create Service Account'. Or, if you prefer using the gcloud command, you can create a new account by using the command:
gcloud iam service-accounts create <NEW-SA-ACCT-NAME> --display-name="Compute Engine default service account"
Get the email id associated with this service account either via Cloud Console Service Accounts page, or using the gcloud command:
gcloud iam service-accounts list
Once you have done the above steps, you can set this new Service Account as the Compute Engine default Service Account using the alpha command:
gcloud alpha compute --project=peya-data-ops-pro project-info set-default-service-account --service-account=<NEW-SA-ACCT-NAME-EMAIL>
Note: This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you may be trying to access an API with an invitation-only early access allowlist, as described here.
c) As a last option and as long as you don't have any other resources running in Compute Engine or you don't mind losing those resources, you can disable the Compute Engine Service following the steps here and then re-enable it following this guide, that will recreate the default SA and you will be able to complete the required process.
I am trying to find in the official GCP documentation the exact permission (not Role) that corresponds to the ability to invoke this command
gcloud container clusters resize
The list does not include such a permission.
Any suggestion about the least privilege that needs to be granted for such an operation?
gcloud container clusters resize operation probably needs the caller to have container.clusters.update permission. You can find this permission in the following predefined roles :
Kubernetes Engine Admin (roles/container.admin)
Kubernetes Engine Cluster Admin (roles/container.clusterAdmin)
See Kubernetes Engine roles. I have not listed other roles containing this permission because they are too broad (roles/owner, roles/editor) or not appropriate (roles/composer.worker).
Based on the principle of least privilege and if you want to keep things simple using predefined roles, your user only needs to be granted roles/container.clusterAdmin because roles/container.clusterAdmin role contains a subset of roles/container.admin permissions.
Additionally, if you want/need to be more restrictive, you could also create a custom role with only the permission you need.
I am trying to create a Kubernetes cluster in Google Cloud Platform and I receive the following error when I try to create the cluster from the Web app:
An unknown error has occurred in Compute Engine: "EXTERNAL: Google
Compute Engine: Required 'compute.zones.get' permission for
'projects/my-project-198766/zones/us-west1-a'". Error code: "18"
When I use gcloud I receive this response:
(gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/my-project-198766/zones/us-west1-a'
Please note that I have the Owner role and I can create VM instances without any issues.
Any ideas?
This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.
This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.
gcloud projects get-iam-policy [project-id]
From the list, you can check whether below service account has the editor permission or not.
[id]#cloudservices.gserviceaccount.com
To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.
Hope this helps.
in my case I deleted the service accounts / IAM's or whatever and that very same error message popped up, when I tried to create a kubernetes cluster.
I asked Google to recreate my service accounts, and they mentioned that you can recreate service accounts and their permissions simply by enabling them again. So, in my case I ran the following two commands in order to make kubernetes work again:
gcloud services enable compute
gcloud services enable container
Here is the link they gave me:
https://issuetracker.google.com/64671745#comment2
I think I got it. I tried to follow the advice from GitHub. The permissions I needed to set on my account (called blahblah-compute#developer.gserviceaccount.com) were:
roles/compute.instanceAdmin
roles/editor
roles/iam.serviceAccountUser
The last one seemed to be crucial.
For me recreating the service account with a new name from the console fixed the issue. I have only given the "Editor" role to the service account
I had accidently deleted the compute-service account. I had to follow all the steps mentioned above ie.
undelete the compute-service account
add the permission back to the service account - editor, serviceaccountuser, computeinstanceAdmin
Enable again compute and container services. Although these were not disabled, running gcloud services enable compute container, created some default service accounts for the compute robot such as service-#compute-system.iam.gserviceaccount.com and service-#container-engine-robot.iam.gserviceaccount.com
Hope this helps
As indicated by #Taher, that's most likely due to missing permissions for Google managed service accounts. If after checking the IAM policies for your project with gcloud projects get-iam-policy [project-id] you do not see the permissions listed, then you can add the required permissions by running the following:
project_id=[your-project-id]
project_number=$(gcloud projects describe $project_id --format='value(projectNumber)')
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#compute-system.iam.gserviceaccount.com" \
--role="roles/compute.serviceAgent"
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#container-engine-robot.iam.gserviceaccount.com" \
--role="roles/container.serviceAgent"
The full list of Google managed service accounts (service agents) is available here.