Google Cloud Build - View logs permissions - google-cloud-platform

I am the owner of a project and want to give Permissions to another user to view Logs of Google Cloud Build, but I can not figure out which Role / Permission this user needs.
Roles I've unsuccessfully tried are:
Cloud Build Editor,
Cloud Build Viewer,
Stackdriver Debugger Agent,
Stackdriver Debugger User,
Cloud Trace Admin,
Logging Admin,
Private Logs Viewer,
Logs Viewer,
Monitoring Admin

Google Cloud enterprise support confirmed to me that the only role that currently grants this is the project-level Viewer permission (or Editor/Owner).
One workaround is to set the --gcs-log-dir flag when submitting a build to a bucket you control (rather than the default Google-managed gs://[PROJECT_NUMBER].cloudbuild-logs.googleusercontent.com/ bucket).
They're tracking making a more granular permission in this feature request: https://issuetracker.google.com/issues/134928412, which you can subscribe to updates on.

If you add the project viewer role then this will resolve the issue. But, it seems like this is an issue (or maybe a feature request - to add the necessary permission to the Logs Viewer so that logs outside of the Stackdriver logging page can be viewed in other UIs as well), looking at the documentation it says "roles/viewer (Project Viewer) gives members the same permissions as roles/logging.viewer at the project level. " which means that by just assigning the Logs Viewer then it should have given the user the necessary permission to view the logs at the Cloud Build UI.

Related

IAM Permission Denied - Google Cloud Create metric

Currently I am trying to create a custom metric to be tracked in the Google Cloud Monitoring dashboard.
Although the admin of the system has given me Monitoring Editor, Monitoring Writer, and Monitoring Admin roles, this error is still occurring.
permission based error
Which permission settings do I need to create a custom / log based metric?
I have tried creating a metric on the Google Cloud Monitoring dashboard with the following roles: Monitoring Editor, Monitoring Writer, and Monitoring Admin. Even with these roles in my IAM permission settings, the red alert error still shows up when creating a metric.
It's confusing.
Although Log-based metrics produce Cloud Monitoring metrics, they are functionality of the Cloud Logging API (and so they require Logging-specific roles/permissions).
Here's the list of permissions: https://cloud.google.com/iam/docs/permissions-reference
Search it (!) for logging.logMetrics.create and you'll get:
Owner (roles/owner)
Editor (roles/editor)
App Engine flexible environment Service Agent (roles/appengineflex.serviceAgent)
Cloud Composer API Service Agent (roles/composer.serviceAgent)
Cloud Dataflow Service Agent (roles/dataflow.serviceAgent)
Logging Admin (roles/logging.admin)
Logs Configuration Writer (roles/logging.configWriter)
Serverless VPC Access Service Agent (roles/vpcaccess.serviceAgent)
Get roles/logging.admin or roles/logging.confgWriter bound to your identity and try again.

Error when creating a Job in Dataflow (Current user cannot act as service account)

I'm trying to create a job in Dataflow to export to a text file the data published to a pub/sub topic. When saving the configuration I get a 'Job creation failed' message specifying 'Current user cannot act as service account ...-compute#developer.gserviceaccount.com', as shown in the attached picture.
Following Google's documentation I added the following roles to my user for this project (in addition to the owner role I already have):
Compute Viewer
Dataflow Admin
Dataflow Developer
Storage Object Admin
Service Account User
However the Controller Service Account mentioned in the message doesn't seem to exist in the list of Account Services of this project (IAM & Admin > Account Services). Is there anything I'm missing here?
Other requirements already checked:
I have the Compute Engine API already enabled
As owner I have the iam.serviceAccounts.actAs permission
Your best option is to create a custom service account in IAM and use it to build/run your job. if you're using cloud build to deploy and run your template you'll need to set your logging location.
More details at the below links:
Using custom service accounts in cloud build
Setting logging location in cloud build YAML

Permissions denied for Google Cloud Scheduler

I am trying to create a Cloud Scheduler but when I click on Cloud Scheduler, I receive the error: There was an error while loading /cloudscheduler?folder=&organizationId=&project=my+project. You are missing at least one of the following required permissions:Project cloudscheduler.jobs.list
When I check the permissions for the same project in my service account I see I have been granted all Cloud Scheduler permissions. Attached is the screenshot.
The message indicates that the identity that you are using to access Cloud Scheduler does not have the required permission.
I recommend double-checking which identities you are using.
If you are using the Google Cloud Console, there is a person icon located at the top right of your browser. That will tell you the identity that you are using.
The console is basically the user interface that appears after logging from here.
So yes, when you click the hamburger menu, you are in the GCP console.

How to programatically add Roles to cloud build service account?

I am trying to use setIAMPolicy for Cloud Build Service account #cloudbuild.gserviceaccount.com. I want to provide AppEngine Admin, Cloud Run Admin permissions to the Cloud Build Service member so that it can do automated releases on AppEngine.
Somehow it throws 404 when I pass resource of Cloud Build Service account while getting IAM Policy. To confirm, I tried GET https://iam.googleapis.com/v1/{name=projects/*}/serviceAccounts in API Explorer and it also does not return the Google Managed Service accounts. It seems it only returns the service accounts which are created and not the Google Managed default accounts.
How can I set IAM Policy to grant these permissions to Cloud Build?
The general idea is to enable these permissions for both App Engine and Cloud Run.
Also, a common problem is not knowing that cron permissions are needed for App Engine and Cloud build. For example, this article mentions "Update cron schedules" as "No" for "App Engine Admin". Whether you need that or not depends on how your builds are done. If you end-up needing that too, use permission "Cloud Scheduler Admin" on your #cloudbuild.gserviceaccount.com. You can apply the same logic to other permissions and that chart might be useful for knowing what is needed depending on your setup.

iam role permission for stackdriver console log view

I need to set stackdriver console view permission for set of user.
Currently I have assigned them
roles/logging.viewer
role. But they cannot access the gcp console to view the stackdriver log.
For now I have given them project viewer role to access the log in gcp console.
Can this be done in some other way.
According to the documentation and as mentioned by #pradeep above, the role with the title: “Logs Viewer” if given to a user, the user is indeed granted the permissions to view the Stackdriver Logs in the GCP Logging Console View. You may verify this, as per documentation, in order to view (minimal read-only access) the Stackdriver Logs in the GCP Console, the following permissions are necessary:
logging.logEntries.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
resourcemanager.projects.get
, which are included in the aforementioned role.
I reproduced your case by visiting the “IAM & admin” section in my GCP Console. I added a new member of a gmail account. In the picture below, you may see the available options when adding a new member:
While selecting a role, I typed “log” in the “Type to filter” search field and added the role “Logs Viewer”, as you can see below:
The user with the corresponding email, which I had just added, was able to view the logs in the console by selecting the corresponding project.
Additionally, Google Groups are a convenient way to apply an access policy to a collection of users. My example though was examining one user with a gmail account.
Some additional information that you might find useful:
During my investigation, I figured out that users with the “Logs Viewer” role, will not be able to view the logs using "gcloud logging logs list" command, instead they will receive an error indicating that a permission is missing from the role. The permission needed in order to run the "gcloud logging logs list" command which is "serviceusage.services.usage" permission which is used by "Editor" and project "Owner" role and other roles. I understand this is not your issue, but I mention this as well just in case you encounter it.
There is a Public Issue Tracker about this matter to include the permission “serviceusage.services.use” in role roles/logging.viewer by default so you will not have to do it manually in the future. For now you will need to include the permission manually.
As i am not sure why your users can not view the Logs in the console, since my reproduction was successful, could you please attach a screenshot of the issue and further elaborate on the description of your question?
(for example:
describe the steps of how you are granting the roles/logging.viewer
does your workaround (granting project viewer) allow the users to view the Logs via Console?
do the users or you receive an error while trying to view Logs when roles/logging.viewer was granted?
)
If you give a user roles/logging.viewer permission then they can only view StackDriver service, they cannot access other service for example Storage.
What error do you get when giving only roles/logging.viewer ? Can you attach screenshot as well?