I want to be able to programatically add a user to a project that exists in google cloud. I can do this via the console by going to Iam and admin, selecting a project, then searching for a user, selecting a role and adding them. Furthermore, the docs seem to say this should be possible
Project owners can grant access to team members to access project's
resources and APIs by granting IAM roles to team members. You can
grant a role to a team member using the Cloud Platform Console, the
cloud command-line tool, or the setIamPolicy() method.
But the API seems to be missing this method.
I can grant users access to particular resources, but I cant give them the same kind of all resource access level that I can from the console.
What API call can I use to, say, grant a given user read-only access to all the resources in a given project?
It's right where you linked it :)
What you want to do is:
1. Get current policy.
That will give you a JSON response showing you what the structure should be like.
2. Make your changes. If there is already an entry with roles/viewer, append to the members list, otherwise create the entry:
...
{
"role": "roles/viewer",
"members": [
"user:your.friend#gmail.com"
]
},
...
3. Set the new policy.
For a list of possible roles look here.
Related
I want to list IAM policies or access levels for various resourses. I followed docs and I'm able to list it for projects. There are various resources and I'm somewhat confused with it.
Is all other resourses come inside the project? (Basically I'm confused with the chain)
If someone have access to project (read/write/anything else) then can they have access to resourses inside the projects?
If other resourses are independent then how to list their IAM policies? (For each individual resourse)
I'm using GCP Oauth2 API and would highly appreatiate if anyone at least answer the above questions.
Is all other resourses come inside the project?
Yes,
For a specific project, you can use search-all-resources to search all the resources across services (or APIs) and projects.
To use the number 123 to search every resource in a project:
$ gcloud asset search-all-resources --scope=projects/123
If someone has access to a project (read/write/anything else) then can they have access to resources inside the projects?
Results from the above command are the resources in that project. If you have a user who has an owner role in the project then the user can manage roles and permissions for a project and all resources within the project. If a user has a viewer role then the user has permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
Some resources also have separate permissions,a user can have permissions other than project level that is Individual permissions to the specific resource, by using them you can restrict the user to access projects but the user can access a specific resource.
Here you can find Access control for projects with IAM.
If other resources are independent then how to list their IAM policies? (For each individual resource)
Google has Predefined roles for every resource in the project you can filter out the specific resource by searching the resource in this doc, those are predefined roles which can assign a user to the specific resource.
You can find more information in this doc.
The ORG, Folder, and Project are resources. They have an API to access IAM Policy Bindings. Cloud Storage, KMS, Compute Engine, Cloud Run, Functions, etc are also resources. They have an API to access IAM Policy bindings. Look up the API for each resource type.
In Google Cloud, many resources support IAM Policy Bindings but not all.
Is all other resourses come inside the project? (Basically I'm
confused with the chain)
Google Cloud resources belong to projects in almost all cases. Billing Accounts and Payment Accounts are examples that are separate.
If someone have access to project (read/write/anything else) then can
they have access to resourses inside the projects?
If as you say "read/write/anything else", then yes. If they have the correct IAM roles at the project level, they can access the resource. Since some resources also support their own IAM Policy Bindings, a user can be granted access to a resource at the resource level without having permission at the project level.
If other resourses are independent then how to list their IAM
policies? (For each individual resource)
You must access the resource's IAM Policy Bindings. Each resource that supports IAM Policy Bindings has a corresponding API to read/modify.
Note: resources are not independent. They are owned by a project in almost all cases as I mentioned previously.
Ok, this is making me pull my hair out I can't believe it's so complex...
So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)
I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"
How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list is not it.
Quick answer:
You need a custom role with:
storage.buckets.list
Rant answer:
Finally found the complete permissions reference.
https://cloud.google.com/storage/docs/access-control/iam-permissions
Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.
As of January 2021, to give a user access to the cloud storage console and access to a particular bucket, let's say to view or upload files:
Create a custom role in Cloud IAM
This custom role needs resourcemanager.projects.get and storage.buckets.list permissions.
The first permission allows the user to actually select the relevant project.
The second permission allows the user to list all the buckets in your account. Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure.
Create an IAM user
Go into Cloud IAM .
Add an IAM user assign them the new role you created in Step 1.
Assign Permissions on the Bucket Resource.
Go into the bucket you want to provide access to.
Go into the permissions pane.
Assign permission(s) to the IAM user you created in step 2. Assign a Storage role that makes sense for your situation (i.e. Storage Admin if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer for read only access).
You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.
My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin role.
I want my service account to be able to create files and folders in my bucket but disallow any read/list/download for objects in that bucket. I am not able to figure out what permissions to set for my bucket/service-account. Any ideas on this?
You can have a look at the general Identity and Access Management (IAM) page for Google Cloud Storage. From that, you can either use one of the predefined Cloud Storage roles, or create a custom role with the specific IAM permissions that you need. Let's follow both approaches:
Standard Cloud Storage IAM Roles: in this page you can find the complete list of available IAM Roles. Given the use case you present, you should consider using roles/storage.objectCreator role, as it only grants storage.objects.create permissions, and you cannot view or list objects.
Custom IAM Roles: you can follow this guide to create a custom IAM Role, and the define the specific permissions that you want to grant to your bucket. In this other page you can see a list of all the available permissions. You should use storage.objects.create, but you may be interested in adding also a different permission such as storage.objects.delete in order for the Service Account to be able to overwrite content (which cannot be done with the roles/storage.objectCreator role, as it does not have delete permissions).
So in general, and applying your specific use case, you could say that you can use the roles/storage.objectCreator standard role. However, you must take into account that using it, you will not be able to override content, as for that purpose, you will need the storage.objects.delete permission too. In that case, you can create a custom role.
I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error
You need the storage.objects.list permission to list objects in this
bucket. Ask a project or bucket owner to give you this permission,
then try again.
I'm completely stumped as I'm project owner. Any ideas?
The role roles/owner doesn't grant access to data within buckets.
The best resource to figure out which built-in IAM roles can do which things is the Google Cloud Platform IAM Permissions Reference.
On that page, CTRL-F for storage.objects.list (or for that matter, any other permission you're interested in) and you will see the roles that grant it on the right-hand column. Note that project owner (roles/owner) is not in the list of roles that grant this permission.
When buckets are created, roles/storage.legacyBucketOwner is granted to project owners, editors, and viewers by default. However, this permission can always be revoked, and in fact many users choose to remove this permission for more granular control over access to data in the bucket as opposed to project resources like VMs.
A good example would be a bucket which contains sensitive PII data. You might not want people who can SSH into VMs in the project to be in-scope to read that data.
In the GCP Console navigate to the IAM Admin menu.
Choose IAM (top menu item)
Select your account.
In the info panel click on Add Role
Add the Storage Object Admin role to your account
Choose Service Accounts menu item from the IAM menu (below Quotas)
Select the compute#developer.gserviceaccount.com or default account.
In the info panel click on Add Member and add your account.
You should now have full access to the Storage Bucket
I remember when I used google storage for speech API, I need to go to IAM console to add "Storage Admin" role to the service account even though I'm the project owner.
I understand that you're not using gsutil. But at this point, maybe give it a try to create the service account and give it the right permission? Hopefully, this will make it work for you.
You can try running this command
gsutil iam ch 'user:myacc#mydoma.in:legacyObjectOwner' gs://mybucket
it's worked for me.
else you can go in I&AM and assign the storage admin role to your account.
I have a GCP project and just for testing purpose, I want to grant the permission to 'allUsers'. But when I am trying to add, I am getting error Members of type allUsers and allAuthenticatedUsers cannot be added to this resource. Can somebody help me to understand what I am doing wrong or missing here? Thanks
Check the docs.
Project does not support allUsers and allAuthenticatedUsers as members in a Binding of a Policy.
Sometimes it might be that you’re trying to use a deprecated feature that is already no longer available in web UI and control panels but in fact, is still silently supported for thus who are unable to upgrade.
Granting a role for allUsers is one of these cases and you can find an example of such a case in this answer of a smart-things community.
Regarding the:
Can somebody help me to understand what I am doing wrong or missing here?
You are trying to use insecure permissions that are strongly discouraged. And that is wrong, that is not available in some web user interfaces for a reason. But if Google would ditch such support at all, then IoT devices that are still dependent on this yet out of the reach of developers who could upgrade them would become inoperable, so new users unlikely to see such possibility but thus who used it in the passed will be stay operable.
But if you were unfortunate to delete such permission and now you left a lot of IoT devices without an ability to publish for a PubSub topic (and upgrading devices is not a feasible option) then following mentioned answer from smart things community if you want to allow publishing for a topic bar of the project foo then you can use a set IAM policy API to apply a role roles/pubsub.publisher for allUsers
A resource will be: projects/foo/topic/bar
And policy object will be:
{
"policy": {
"bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"allUsers"
]
}
]
}
}
The member types permission used to grant allUser or allAuthenticatedUser access to certain Google Cloud resources such as buckets cannot be applied as project roles to projects.
Google Cloud projects provide different levels of access control that are different from those used with buckets, as explained in the following Access Control for Projects using IAM documentation.
There is a three-level policy hierarchy in Google Cloud that puts projects and resources as separate entities. In this hierarchy, policies are inheritable but do have different access control models which are not interchangeable.
You can grant to a Google Cloud project the following permissions:
roles/owner - Full access to all resources.
roles/editor - Edit access to all resources.
roles/viewer - Read access to all resources.
roles/browser - Access to browse resources in the project.
The above project permissions can be fine-tuned at the resource level using member types as explained above.
Try to remove the prevent public access in permissions of your GCP cloud storage bucket. This allows to have fine granular control on individual objects. So that one or many objects in the bucket can be public.
Public access prevention prevents data in your organization or project from being accidentally exposed to the public. When you enforce public access prevention on a new or existing Cloud Storage resource, no one in your organization can make data public through IAM policies or ACLs.
For more see the docs here
Go to your bucket and revoke public access as in below image. Then go to your resource and add permission allUser
Disable the prevention to public access
Go to permissions (right-hand side of configuration)
Disable public access prevention.
then again try to make image public
it'll work
Click em "Edit Access" in your bucket, then remove public access, then try again, you will be able to set allUsers in permissions.