I am trying to login to the APP publisher after creating a user and assigning the internal/Publisher role to it, but every time it gives me the error as
No Privileges to login. You do not have the permission to login to this application. Please contact your administrator and request permission.
The console error is
User does not have permission to access the publisher application.Make sure the user has the publisher role.
If the user has the internal/publisher role assigned, logging in should be possible.
Can you please mention the exact steps you are executing and any other changes made to configurations.
However there is a known issue [1] where we can't use a new role with permission identical to that of the internal/publisher role.
If you are trying to use such a newly created role, you can try the workaround mentioned in [1]
[1] https://wso2.org/jira/browse/APPM-796
Related
My permissions at the organization level are
Billing Account Administrator
Billing Account Creator
Billing Account Viewer
Folder Creator
Organization Policy Administrator
Organization Viewer
Owner
Project Billing Manager
Project Creator
Project IAM Admin
Project Mover
Security Admin
Service Account Token Creator
Service Usage Admin Viewer
I'm trying to redeploy a project in Terraform that builds cloud build and a terraform service account and set some IAM roles. I'm still doing the initial deployment of these resources locally, so I'm pretty sure the permissions to do this fall on me? What could I possibly need to stop getting the error: Error updating project "______": googleapi: Error 403: The caller does not have permission, forbidden on my google_project resource.
It honestly doesn't make sense at this point because I feel like I'm absolutely overloaded and still getting this error.
How should I know my account has proper permissions to run, I usually go to reference to check my permission. In this case, I would go to Method: projects.builds.create try that method, and see what response will show.
Also, check out IAM roles and permissions, you may use predefined Cloud Build roles of Cloud Build Editor in specific project.
I need to set stackdriver console view permission for set of user.
Currently I have assigned them
roles/logging.viewer
role. But they cannot access the gcp console to view the stackdriver log.
For now I have given them project viewer role to access the log in gcp console.
Can this be done in some other way.
According to the documentation and as mentioned by #pradeep above, the role with the title: “Logs Viewer” if given to a user, the user is indeed granted the permissions to view the Stackdriver Logs in the GCP Logging Console View. You may verify this, as per documentation, in order to view (minimal read-only access) the Stackdriver Logs in the GCP Console, the following permissions are necessary:
logging.logEntries.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
resourcemanager.projects.get
, which are included in the aforementioned role.
I reproduced your case by visiting the “IAM & admin” section in my GCP Console. I added a new member of a gmail account. In the picture below, you may see the available options when adding a new member:
While selecting a role, I typed “log” in the “Type to filter” search field and added the role “Logs Viewer”, as you can see below:
The user with the corresponding email, which I had just added, was able to view the logs in the console by selecting the corresponding project.
Additionally, Google Groups are a convenient way to apply an access policy to a collection of users. My example though was examining one user with a gmail account.
Some additional information that you might find useful:
During my investigation, I figured out that users with the “Logs Viewer” role, will not be able to view the logs using "gcloud logging logs list" command, instead they will receive an error indicating that a permission is missing from the role. The permission needed in order to run the "gcloud logging logs list" command which is "serviceusage.services.usage" permission which is used by "Editor" and project "Owner" role and other roles. I understand this is not your issue, but I mention this as well just in case you encounter it.
There is a Public Issue Tracker about this matter to include the permission “serviceusage.services.use” in role roles/logging.viewer by default so you will not have to do it manually in the future. For now you will need to include the permission manually.
As i am not sure why your users can not view the Logs in the console, since my reproduction was successful, could you please attach a screenshot of the issue and further elaborate on the description of your question?
(for example:
describe the steps of how you are granting the roles/logging.viewer
does your workaround (granting project viewer) allow the users to view the Logs via Console?
do the users or you receive an error while trying to view Logs when roles/logging.viewer was granted?
)
If you give a user roles/logging.viewer permission then they can only view StackDriver service, they cannot access other service for example Storage.
What error do you get when giving only roles/logging.viewer ? Can you attach screenshot as well?
I'd like to create some OAuth client IDs in the GCP but I do not have some permissions for that. I got a warning "You don't have permission to create an OAuth client"
I can simply add me to the role roles/owner and do it, but I'd like to have something like a minimal permission/role to create OAuth client IDs. What permissions/roles from this list should I use?
https://cloud.google.com/iam/docs/understanding-roles#service_account_roles
I tried roles/iam.serviceAccountTokenCreator but it doesn't work.
Besides having at least the Viewer role assigned in order to see the Google Cloud Platform project and navigate the Cloud Console the only relevant permission in order to create an OAuth client should be clientauthconfig.clients.create. But notice that besides creating them, the user would not have the ability to delete or update them.
My suggestion would be to create a custom role that have at least the following permissions:
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
And make sure that the users have at least the Viewer Role as well as this custom role assigned.
You can try to create a custom role which has permissions clientauthconfig.*
Note: As per https://cloud.google.com/iam/docs/custom-roles-permissions-support, these permissions are in testing phase so please try them out thorougly before putting in production.
Hope this helps.
my partner added me as a member in a GCP project, with computer engine Admin role, but i didn't receive any invitation email.
we have already checked in spam folder.
i tried also to acc
https://console.cloud.google.com/invitation?project=PROJECT_NAME&account=EMAIL&memberEmail=EMAIL
but it given me this error:
Search with the search bar for the invitation on your email but if you don't find it access the following link:
https://console.cloud.google.com/invitation?project=[your-project-id]&account=[the-account-email-invited]&memberEmail=[the-account-email-invited]
A workaround can be add as owner than change permission. (Not tested)
In my case the project was hidden under No organization > All.
I tested it on my end and I am experiencing the same issue. When granting a role to a user, the user will not receive an invitation email, unless he is granted a “Project Owner” role.
However, upon reading the GCP documentation [1], I do see that it's working as intended.
"To allow team members to access a project's resources and APIs, project owners can grant IAM roles to users. You can grant a role to a user using the GCP Console, the gcloud command-line tool, or the setIamPolicy() method. When you set a policy or add a binding to grant a role to a user, they won't receive an invite email. Instead, the user's access is updated directly." [1]
[1] https://cloud.google.com/iam/docs/granting-changing-revoking-access
I am adding test users to Identity Server. I can not login with them because I get an error in the logs that state
Your account is not active
How can I activate these dummy accounts?
Add a user and assign user role(s) (admin/everyone or custom defined role) to the created user. Give necessary Permissions to the user role.
Are you using standalone IS? Can you give exact steps to reproduce the issue.
Thanks
Thilini