I am a beginner on Google Cloud and Bigtable, I was wondering if it was possible to setup a service account having admin access to a single bigtable instance ?
If possible I would like to do it from the console.
This is what I use today:
To enable Cloud Bigtable IAM roles, please enable the Cloud Bigtable API via the Cloud Console, which you can find by searching the API Library for "Bigtable".
Once you've done this, the Cloud Bigtable IAM roles will show up, and you will be able to grant Cloud Bigtable IAM roles to service accounts, as you have done in the screenshot for other services.
That said, please note that all of these roles, including the ones in your screenshot, are not instance-specific, they are service-specific, but affect all instances of that service across the entire project.
To assign IAM roles on a per Cloud Bigtable instance level, follow these instructions:
Go to the Cloud Bigtable instances page in the GCP Console.
Check the boxes next to the instances whose roles you want to manage. An information panel appears.
In the information panel, click Permissions.
Under Add members, start typing the email address of the user or service account you want to add, then click the email address of
the user or service account.
Click the Select a role drop-down list, then click Cloud Bigtable to select a predefined role or Custom to select a
custom role.
Click the name of each role that you want to assign.
Click Add. The user or service account is granted the roles that you specified at the instance level.
Instance level permissions are now available and you can assign roles to individual instances. This functionality is accessible via the cloud console by clicking the check box next the Bigtable instance that you would like to configure.
Related
I created a service account mycustomsa#myproject.iam.gserviceaccount.com.
Following the GCP best practices, I would like to use it in order to run a GCE VM named instance-1 (not yet created).
This VM has to be able to write logs and metrics for Stackdriver.
I identified:
roles/monitoring.metricWriter
roles/logging.logWriter
However:
Do you advise any additional role I should use? (i.e. instance admin)
How should I setup the IAM policy binding at project level to restrict the usage of this service account just for GCE and instance-1?
For writing logs and metrics on Stackdriver those roles are appropriate, you need to define what kind of activities the instance will be doing. However as John pointed in his comment, using a conditional role binding 1 might be useful as they can be added to new or existing IAM policies to further control access to Google Cloud resources.
As for the best practices on SA, I would recommend to make the SA as secure as possible with the following:
-Specify who can act as service accounts. Users who are Service Account Users for a service account can indirectly access all the resources the service account has access to. Therefore, be cautious when granting the serviceAccountUser role to a user.
-Grant the service account only the minimum set of permissions required to achieve their goal. Learn about granting roles to all types of members, including service accounts.
-Create service accounts for each service with only the permissions required for that service.
-Use the display name of a service account to keep track of the service accounts. When you create a service account, populate its display name with the purpose of the service account.
-Define a naming convention for your service accounts.
-Implement processes to automate the rotation of user-managed service account keys.
-Take advantage of the IAM service account API to implement key rotation.
-Audit service accounts and keys using either the serviceAccount.keys.list() method or the Logs Viewer page in the console.
-Do not delete service accounts that are in use by running instances on App Engine or Compute Engine unless you want those applications to lose access to the service account.
I need to disable a service account in Cloud IAM to create Compute Engine instances. Currently the service account has the Editor role on the project.
I tried adding a condition to disable compute/instance using condition builder but it doesn't allow this, saying primitive roles cannot be edited.
Condition Builder is in Beta.
You can remove the editor role and assign the required (custom) role to Service Account.
Open the IAM & Admin page in the Cloud Console. Click Select a
project, choose a project, and click Open.
Identify the service account to which you want to add a role.
If the service account isn't already on the members list, it doesn't
have any roles assigned to it. Click Add and enter the email address
of the service account. If the service account is already on the
members list, it has existing roles. To edit the service account's
roles, click the Edit edit button. Select one or more roles to apply
to the service account.
Click Save to apply the roles to the service account.
Another option is:
Restrict access who can use the Service account.
I have one person (a) who is in charge of administrating our Windows instances on Google Cloud and another person manages our Ubuntu instances. I want to allow the first person to have permission to start, stop, reset, change metadata / instance-size and login as admin on the Windows instances, but I don't want them to have access to perform those actions on any of the Ubuntu instances. All of the instances are part of the same project.
Is there any way to grant such permissions at an instance-level, without granting them for all instances in the project?
Google Compute Engine supports specifying the service account to use for the instance.
I recommend creating a new service account, assigning the Project Editor role and then assign that service account to instances that require this level of permission.
I do not recommend using Compute Engine Scopes to control permissions. Specify the desired roles for the service account, assign the service account to Compute Engine and specify "Allow full access to all Cloud APIs". The actual permissions will be controlled by the service account roles. Scopes are too granular in some cases.
I wrote an article that dives deeper into Compute Engine service accounts.
Google Cloud – Compute Engine Service Accounts
GCP allows one to provide fine grained permissions on Compute Engine instances. This appears to be well documented in the documentation found at:
Granting access to Compute Engine resources
At the highest level, we can assign permissions either through Cloud Console or through the gcloud command.
I was having trouble finding a way to do this because it is not available from the "IAM" section on Google Cloud. However, you can assign instance-specific roles and permissions form the Cloud Engine - VM Instances Page:
Go to the Computer Engine VM Instances page: https://console.cloud.google.com/compute/instances
Click the checkbox beside the instance(s) to which you want to assign instance-specific roles.
Click on "Show Info Panel".
On the "Info Panel" on the right side of the screen under "Permissions" click "Add Members".
Select the members / roles you want to assign and click "Save".
default service account does not have access to cloud sql and has only read only access to storage.
I tried adding cloud sql admin and storage admin permission to defautl service account but that does not seems to work.
I know it can be solved by using another service account that have these permission and using that when creating compute instance.
I am just curious to know why updating permission of default compute does not work?
It seems that updating the permissions on the Compute Engine default service account is not enough to set the correct level of access you are trying to give to your Compute Engine instance, since, as described here:
When you set up an instance to run as a service account, the level of access the service account has is determined by the combination of access scopes granted to the instance and IAM roles granted to the service account.
From my understanding you are only granting IAM roles to the service account, so, in order to give the desired access level, you should also update the Access scopes for your Compute Engine instance.
When you create a new Compute Engine instance, under Access scopes, it is selected "Allow default access" by default as you can see here New instance. This default access has Cloud SQL access disabled and Cloud Storage access as read-only.
You can refer to this documentation which explains how to change the access scopes for a Compute Engine instance:
To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.
Once you stop your instance, you can change the Access scopes to either "Set access for each API" or to "Allow full access to all Cloud APIs".
If you choose to set access for each API, you will have to search for "Cloud SQL" and then select "Enabled" and also for "Storage" and select the desired option (Read Only, Write Only, Read Write, Full)
For more information on Access Scopes please refer to this doc and for more information on running Compute Engine instances as service account (including the default service account) please see this doc.
In the Cloud IAM Admin you have to select your Default Service Account by hitting on that pen to the right; then a side.bar will pop up, where you can assign the following roles: Cloud SQL Admin, Cloud SQL Client, Cloud SQL Editor, Cloud SQL Viewer. it's the default role is Editor.
We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).