When viewieng the datastore page:
There was an error while loading /datastore/welcome?project=***********&folder=&organizationId=
Minimum permissions required for this page:
appengine.applications.create
datastore.locations.list
servicemanagement.services.bind
All permissions checked for the current project:
appengine.applications.create
datastore.locations.list
servicemanagement.services.bind
I have 'Editor' as well as 'Cloud Datastore Owner' permissions.
What else do I need?
Those roles should be enough to view the project's Cloud Datastore instance. However, a few things in your post indicate that you're trying to create a Datastore instance, and to do that, you'll also need the appengine.applications.create permission if your project doesn't have an App Engine app.
Cloud Datastore depends on App Engine. You don't have to use App Engine at all but you do need an active app to use Datastore.
You can have a project owner create the Datastore instance for you first, or you can ask them to give you the appengine.applications.create permission using a custom role.
Related
I'm trying to create a job in Dataflow to export to a text file the data published to a pub/sub topic. When saving the configuration I get a 'Job creation failed' message specifying 'Current user cannot act as service account ...-compute#developer.gserviceaccount.com', as shown in the attached picture.
Following Google's documentation I added the following roles to my user for this project (in addition to the owner role I already have):
Compute Viewer
Dataflow Admin
Dataflow Developer
Storage Object Admin
Service Account User
However the Controller Service Account mentioned in the message doesn't seem to exist in the list of Account Services of this project (IAM & Admin > Account Services). Is there anything I'm missing here?
Other requirements already checked:
I have the Compute Engine API already enabled
As owner I have the iam.serviceAccounts.actAs permission
Your best option is to create a custom service account in IAM and use it to build/run your job. if you're using cloud build to deploy and run your template you'll need to set your logging location.
More details at the below links:
Using custom service accounts in cloud build
Setting logging location in cloud build YAML
I am trying to use setIAMPolicy for Cloud Build Service account #cloudbuild.gserviceaccount.com. I want to provide AppEngine Admin, Cloud Run Admin permissions to the Cloud Build Service member so that it can do automated releases on AppEngine.
Somehow it throws 404 when I pass resource of Cloud Build Service account while getting IAM Policy. To confirm, I tried GET https://iam.googleapis.com/v1/{name=projects/*}/serviceAccounts in API Explorer and it also does not return the Google Managed Service accounts. It seems it only returns the service accounts which are created and not the Google Managed default accounts.
How can I set IAM Policy to grant these permissions to Cloud Build?
The general idea is to enable these permissions for both App Engine and Cloud Run.
Also, a common problem is not knowing that cron permissions are needed for App Engine and Cloud build. For example, this article mentions "Update cron schedules" as "No" for "App Engine Admin". Whether you need that or not depends on how your builds are done. If you end-up needing that too, use permission "Cloud Scheduler Admin" on your #cloudbuild.gserviceaccount.com. You can apply the same logic to other permissions and that chart might be useful for knowing what is needed depending on your setup.
I have a question about GCP and this Django app I am making. I am using Google cloud storage to hold documents that I need to provide access permissions for to my users, but I can't think of how to link users from my app (being saved to CloudSQL-PostgresSQL) to my Google Cloud project.
This feels like it should be an easy case to handle, but i'm used to services like Cognito handling this for me.
Should I make a service account for every user?
I've got a GCP project shared with me with the "project owner" access.
So, I can open and manage the "Identity Platform" users.
But I can't open the "Tenants" page (it's loading infinitely).
So, maybe it requires some additional roles, although I'm an owner of the project and I have the following roles assigned:
App Engine Admin
Cloud Build Editor
Cloud Scheduler Admin
Environment and Storage Object Administrator
Cloud Datastore Owner
Firebase Admin
Logging Admin
Google Cloud Managed Identities Admin
Admin of Tenancy Units
Storage Admin
Storage Object Admin
Storage Transfer Admin
Some people also suggest to open the page in incognito mode, but unfortunately it, not my case.
I also have noticed that "Tenants" currently in the BETA stage.
But I'm not sure if it's related somehow.
Thanks.
UPDATE:
Does it make sense to use Tenants in Google Identity Platform?
I'm owner of my project and the tenant work well. You should lack of some permissions (and it's very hard to find information. I'm in contact with the PM, I will try to know more)
About the relevance of tenant, all depends of your use cases. If you have user from different context/customer and you want to manage authentication in different manner according to this context.
If a customer don't pay, you can also deactivate a tenant, and you can disrupt the authentication (and thus the service) until the payment.
Your use case has to make sense, not the technical capabilities.
UPDATE
About permission, there is not yet predefined roles and you have to build a custom role for this. The list of permission are the same as for firebase
When creating a new version of an ML Engine Model with the command
gcloud ml-engine versions create 'v1' --model=model_name --origin=gs://path_to_model/1/ --runtime-version=1.4
I recieve the following error:
ERROR: (gcloud.ml-engine.versions.create) FAILED_PRECONDITION: Field: version.deployment_uri Error: Read permissions are required for Cloud ML service account cloud-ml-service#**********.iam.gserviceaccount.com to the model file gs://path_to_model/1/saved_model.pb.
- '#type': type.googleapis.com/google.rpc.BadRequest
fieldViolations:
- description: Read permissions are required for Cloud ML service account cloud-ml-service#**********.iam.gserviceaccount.com to the model file gs://path_to_model/1/saved_model.pb.
field: version.deployment_uri
This service account is not listed in the IAM & admin panel and does not belong to my project, so I don't want to grant permissions for this account manually.
Has anyone else also experienced this? Any suggestions on what I should do?
Additional information:
The google storage bucket has storage class regional and location europe-west1.
I already tried to disable (and re-enable) the ML Engine service with the command
gcloud services disable ml.googleapis.com
but this resulted in the following error:
ERROR: (gcloud.services.disable) The operation with ID tmo-acf.********-****-****-****-************ resulted in a failure.
Updated information:
The storage bucket does not belong to a different project.
The command
gcloud iam service-accounts get-iam-policy cloud-ml-service#**********.iam.gserviceaccount.com
gives the error:
ERROR: (gcloud.iam.service-accounts.get-iam-policy) PERMISSION_DENIED: Permission iam.serviceAccounts.getIamPolicy is required to perform this operation on service account projects/-/serviceAccounts/cloud-ml-service#**********.iam.gserviceaccount.com.
The dash in the path projects/-/serviceAccounts/... in this error message seems very wrong to me.
PROBLEM HAS BEEN SOLVED
I was finally able to disable the ML Engine service after removing all my models. After re-enabling the service I got a new service account which shows up in my IAM & admin panel and is able to access my cloud storage.
If someone finds this issue, #freeCris wrote the solution in the question. I decided to write this down as I read all the documentation in the answers to find nothing useful and then realized he wrote how to solve it in the question itself.
For those wanting to fix this, just run (make sure you don't have resources in ML Engine such as models and versions):
gcloud services disable ml.googleapis.com
And then run:
gcloud services enable ml.googleapis.com
You'll get a new service account that this time is listed in your IAM console. Just add it to your GCS bucket and it'll work now.
I think the problem was, that you tried to create the model under a different project, which was not associated with that bucket you tried to reach. So you used the service account of that different project to access the bucket, that's why it did not have any permissions and did not appear in you AMI.
If that happens again or if anybody else has that problem, you can check your projects with gcloud projects list and change it with gcloud config set project <project name>.
Yes, that service account doesn't belong to your project. You can know the service account for the Cloud ML Engine. For deploying on ML Engine, you will need to grant read access to your model files on gcs to that service account. Here is the documentation on how you can do that: https://cloud.google.com/ml-engine/docs/access-control#permissions_required_for_storage
This might also be useful: https://cloud.google.com/ml-engine/docs/working-with-data#using_a_cloud_storage_bucket_from_a_different_project