We are attempting to use GCR's container analysis api to send notifications via pub/sub when a image vulnerability has been found. We were able to get this working fine with a full admin account but have been unable to get a service account working.
We've confirmed the service account has full access to the Container Analysis API in the dashboard however any request we make gets denied. Our error occurs specifically when we call containerClient.GetOccurrence in the golang library.
Is there a special permission that needs to be granted at the project level for this to work?
Managed to answer my own question..
The service account in question was missing the roles/containeranalysis.occurrences.viewer role in IAM.
Related
I am trying to add a service account to my cloud run service. However, there is a message that "No service account with required permissions available."
I'm not sure if this is related to my user's credentials, or something else. This project has the default compute service account, as well as additional service accounts.
I can't find anything related in the documentation regarding this.
Would appreciate any insight you have on this issue!
Yes, I think that's probably (!?) what's occurring.
I assume that you're using Cloud Console and trying to Create a Cloud Run service.
I was able to add a minimally-roled user to an existing project and, when trying to create a Cloud Run service, I observe the same behavior that you're seeing.
How do you know that the project contains Service Accounts? I assume that your permissions are similarly restricted in eumerating these.
The permissions required to set a service account are described here. You need service account user permissions on the project or specific service account in order to set it on a deploy.
I am setting up a service account in GCP in order to call the Directory API.
But I always get permission error: Not Authorized to access this resource/api.
I have setup this role but no luck. How do I know what permission I need to configure in order to call the API?
Google Directory API is not a part of GCP - hence any roles / permissions you assign to your service account will not work.
You have to create a role and assign it to a user in order to be able to work with this API.
Your service account is not a Domain Admin so it doesn't have access. You can however enable domain-wide-delegation and make the service account impersonate domain admin so your requests will be accepted;
This page describes how to allow members and resources to impersonate, or act as, an Identity and Access Management (IAM) service account. It also explains how to see which members are able to impersonate a given IAM service account.
Have a look at this answer which may be usefull to you. One more document that you may find helpful is "Authorising your request".
I've been trying to get data from GA using a service account, however, my issue is that it keeps saying;
Error: User does not have sufficient permissions for this profile.
I have enabled GA reporting API and given access to GA account using the email of the service account. In addition, it was granted "read and analyze" permissions on the account.
Tried this method on a personal account, and everything worked fine, however, when working on a client project, the issue comes back.
What could I be missing?
This was interesting to figure out.
I've used Account ID against one Google Analytics Account and that worked.
For the one I have been having an issue with, I needed to use the View ID.
I was trying to understand example given in google cloud samples present in this link
IAM Example
This example creates a service account, a VM, and a Pub/Sub topic. The VM runs as the service account, and the service account has subscriber access to the Pub/Sub topic, thereby giving services and applications running on the VM access to the Pub/Sub topic.
However when I am trying to deploy this example I am getting below error
The fingerprint of the deployment is a-v3HjAHciZeSLuE-vSeZw==
Waiting for create [operation-1525502430976-56b6fb6809800-dbd09909-c5d681b2]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525502430976-56b6fb6809800-dbd09909-c5d681b2]: errors:
- code: RESOURCE_ERROR
location: /deployments/test-dp/resources/my-pubsub-topic
message: '{"ResourceType":"pubsub.v1.topic","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"User
not authorized to perform this action.","status":"PERMISSION_DENIED","details":[],"statusMessage":"Forbidden","requestPath":"https://pubsub.googleapis.com/v1/projects/fresh-deck-194307/topics/my-pubsub-topic:setIamPolicy","httpMethod":"POST"}}'
It mentions that User doesn't have permission to perform this action.
I am unable to understand which user it is mentioning about.
Since I am the project owner and my account is the owner of project, I should be able to deploy a script which can set IAM policy for subscribing to a pubsub topic.
Might be my understanding is wrong above. Could somebody help to understand why this example is failing?
Also I hope if any additional configuration is needed for this example to run, it should be mentioned in README file. But there are no instructions.
Make sure that APIs for all resources that you're trying to deploy are enabled.
Use gcloud auth list command to make sure that the account with enough permissions is the active one.
Use gcloud config list command to make sure that the default project or other settings are correct.
I am a user in a group with an attached policy of AdministratorAccess. Despite this when I attempt to delete an AWS Mobile Hub project, I get the following:
Failed to delete project.
It looks like you do not have permission for this operation.
Then links me to the following page: https://docs.aws.amazon.com/aws-mobile/latest/developerguide/reference-mobile-hub-iam-managed-policies.html
At this time Mobile Hub requires a service role to perform operations in your AWS account, including deleting project resources. You can create the service role at the following link:
https://console.aws.amazon.com/mobilehub/home?#/activaterole/
We are planning on removing the service role in the future so Mobile Hub will use your account permissions to perform actions in your account. Once this change takes effect you will no longer need to have the service role in your account and administrator user permission will work without issue. You can find more information about this change here:
https://docs.aws.amazon.com/aws-mobile/latest/developerguide/reference-mobile-hub-project-permissions-model.html
Sincerely,
Dan G
AWS Mobile Developer Experience