We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).
Related
It seems reasonable to want to grant an administrator access to create any and all resources without being able to pull / change / delete billing info.
I seem to recall there was a role something like "project owner" that had full admin but couldn't control billing (and maybe couldn't create new projects).
Does anyone know of a role like that? It has been a while since I set up a new GCP account. I've searched around a bit and can't immediately lay hands on the information.
The documentation is not super helpful.
In Google Cloud, there is no single role that grants permissions to everything. Some roles do have enough power to support granting themselves more roles.
There are multiple admin-level roles and this evolves as Google creates and modifies services. You will need to review the services that you are using and then grant roles to that identity.
The Organization Administrator has the power to grant itself and any other identity any role. However, this role itself has few permissions.
The Owner account has the power to grant itself and any other identity in the same project any role. The Owner role has a vast number of permissions but does not have all of them. The Owner must grant itself permissions for some resource types.
Note: Only a billing account admin can grant permissions to the billing account. That privilege is separate from Google Cloud permissions. Billing accounts are not part of Google Cloud and have their own management structure.
I would like to setup Budget and Alert for one of the client project. I think I have all the relevant roles like owner, project IAM admin, Organization admin but still I am unable to give/get Billing Administrator role
Attached screenshot with list of roles I have
Attached another screenshot where I am still not getting
Billing Account Administrator
and I see only
Project Billing Manager
I followed this documentation (https://cloud.google.com/iam/docs/job-functions/billing) and it clearly says CEO (who is Organization Administrator) can grant Office Manager, Billing Account Administrator role. But here I am unable to assign Billing Account Administrator role to myself. Can any one guide me how should I proceed to set Budgets & Alerts? Also I have enabled Cloud Billing API
Please, be aware that the Billing Account Administrator role can only be granted at the organization or billing account levels, not to a project, as it seems you are trying to do per your screenshot.
If you have the necessary permissions, please, select your organization in the top projects dropdown in the GCP Web console, and then the option IAM & Admin: from there, you should have the ability to ADD the required role.
I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).
I need to disable a service account in Cloud IAM to create Compute Engine instances. Currently the service account has the Editor role on the project.
I tried adding a condition to disable compute/instance using condition builder but it doesn't allow this, saying primitive roles cannot be edited.
Condition Builder is in Beta.
You can remove the editor role and assign the required (custom) role to Service Account.
Open the IAM & Admin page in the Cloud Console. Click Select a
project, choose a project, and click Open.
Identify the service account to which you want to add a role.
If the service account isn't already on the members list, it doesn't
have any roles assigned to it. Click Add and enter the email address
of the service account. If the service account is already on the
members list, it has existing roles. To edit the service account's
roles, click the Edit edit button. Select one or more roles to apply
to the service account.
Click Save to apply the roles to the service account.
Another option is:
Restrict access who can use the Service account.
I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error
You need the storage.objects.list permission to list objects in this
bucket. Ask a project or bucket owner to give you this permission,
then try again.
I'm completely stumped as I'm project owner. Any ideas?
The role roles/owner doesn't grant access to data within buckets.
The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.
On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.
When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.
A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.
In the GCP Console navigate to the IAM Admin menu.
Choose IAM (top menu item)
Select your account.
In the info panel click on Add Role
Add the Storage Object Admin role to your account
Choose Service Accounts menu item from the IAM menu (below Quotas)
Select the compute#developer.gserviceaccount.com or default account.
In the info panel click on Add Member and add your account.
You should now have full access to the Storage Bucket
I remember when I used google storage for speech API, I need to go to IAM console to add "Storage Admin" role to the service account even though I'm the project owner.
I understand that you're not using gsutil. But at this point, maybe give it a try to create the service account and give it the right permission? Hopefully, this will make it work for you.
You can try running this command
gsutil iam ch 'user:myacc#mydoma.in:legacyObjectOwner' gs://mybucket
it's worked for me.
else you can go in I&AM and assign the storage admin role to your account.