Newest 'google-iam' Questions - Stack Overflow

Questions tagged [google-iam]

Cloud Identity and Access Management (Cloud IAM) enables you to create and manage permissions for Google Cloud Platform resources. Cloud IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations.

3
votes
1answer
21 views

BigQuery dataset access using Google Group for service account

I have a BigQuery dataset which I would like to share with a group of people using a Google Group. I added a Google Group as BigQuery Data Viewer and for personal accounts in that group this works ...
1
vote
1answer
18 views

Getting a list of all project owners from GCP

I am trying to get a list of all GCP projects on the domain and the project owners and export it to a CSV so I can throw it into a google sheet. Getting a list is simple enough, but I can't find a way ...
0
votes
0answers
13 views

Firebase: What are the minimum permissions that should be granted to deploy only?

With Firebase: What are the minimum roles/permissions that should be granted to allow someone to deploy only? I am not the owner of the organization, but I can create projects. I have gone through ...
0
votes
1answer
26 views

Adding restrictions to Google API Key

I need to list/change the Google API key restriction by Google API or CI. I tried to add HTTP referrer restriction to Google API key by Node JS API or gcloud CI, but I only got to list the "service ...
0
votes
0answers
34 views

How to get a valid access token for a GCP account?

I want to get a list of intents via the Dialogflow API. I send a GET request to this URL https://dialogflow.googleapis.com/v2/projects/my_project_id/agent/entityTypes. And for the Bearer token I use ...
2
votes
1answer
33 views

Can GCP IAM can be used to provide access control on users of my business application

I'm investigating different types of authorisation solutions that would provide ABAC style access control. I was wondering if GCP IAM can be used for that purpose, to provide custom business ...
0
votes
0answers
38 views

Cloud Platform project and permissions, for Google Apps script bound to spreadsheet

I'm writing a Google Apps script that is "bound" to a Google spreadsheet (the script is accessed by selecting "Script editor" from the "Tools" menu in the spreadsheet). There are two Google accounts ...
0
votes
1answer
39 views

To complete this transfer, you need the 'storage.buckets.setIamPolicy' permission for the source bucket

I am getting this error when trying to create a "transfer" to transfer the contents of one bucket in Google Cloud to another bucket in Google Cloud under the same owner: To complete this transfer, ...
0
votes
1answer
26 views

Docker login to gcp using json credentials

I want to log into docker on google cloud from the command line in Windows using credentials in json format. Firstly, I generated the keys of the service accounts in google cloud IAM & Admin. ...
0
votes
1answer
40 views

What is the best security practice when setting up Google Query?

I had some experience with the AWS but very new to Google cloud platform, especially Google Big Query. I have read many documentations, but felt a bit confused and overwhelmed by amount of the ...
0
votes
1answer
34 views

Getting Users API access in nodejs AppEngine environment with Identity Aware Proxy

I have a nodejs app deployed on AppEngine with IAP enabled, so right now access to its endpoints is protected against users outside of the project's IAM and I get the "x-goog-authenticated-user-id", "...
1
vote
1answer
23 views

Connecting to Google API with Service Account and OAuth

I'm using an environment that doesn't have native support for a GCP client library. So I'm trying to figure out how to authenticate directly using manually crafted JWT token. I've adapted the tasks ...
0
votes
2answers
69 views

try Google API Buckets: testIamPermissions for a specific service account

I can use Buckets: testIamPermissions to test the permissions on a bucket for the logged in user. Is there a way in which I can test it for a service account. Any help will be appreciated. Thanks...
1
vote
1answer
52 views

GCP PubSub not honoring inherited permissions

Some of my service accounts are getting 403 (user not authorized) errors trying to publish/subscribe to PubSub. It appears it's not honoring "Inherited" permissions from Project level IAM. I have ...
2
votes
0answers
73 views

Find out last activity of Service Account Key in GCP IAM

Is it possible to know the last activity of service account's key in GCP IAM, similar to AWS IAM's GetAccessKeyLastUsed? I was avoiding the option of monitoring the activity from GCP Stackdriver.
1
vote
1answer
76 views

GCP Cloud Build fails with permissions error even though correct role is granted

I setup a Cloud Build Trigger in my GCP project in order to deploy a Cloud Function from a Cloud Source Repository via a .yaml file. Everything seems to have been setup correctly and permissions ...
0
votes
0answers
27 views

Error in automating deployment of application using gae and deployment manager

I have created a deployment manager template in jinja and yaml with the same structure that you can find here. I have added my own configurations to the jinja file and when I try to deploy the yaml ...
0
votes
1answer
21 views

Prevent users from downloading logs in Stackdriver Log viewer

I need to give developers access to our production logs in Stackdriver but i'd like to restrict their ability to export/download the data. After reviewing the docs it appears anybody who has view ...
0
votes
1answer
13 views

Change User-Agent for Google IAM in Java

Is it possible to change user-agent information for API calls to Google IAM when we instantiate it? My code is like this: public static Iam initIam() throws IOException, GeneralSecurityException {...
0
votes
0answers
18 views

How do you programmatically add members to a single Google IAP access list?

I have 2 terraformed/k8s-yaml services that have IAP enabled. In order to maintain the member access list between infra refreshes (when the load balancers get destroyed and so the access list gets ...
0
votes
0answers
53 views

Which permissions do I need to create projects in GCP folders?

I have a Google Cloud organisation set up. In it I have 5 folders, within each of them I have some sub-folders and some projects. When I try to create another project at either the org level or ...
0
votes
1answer
114 views

GenerateAccessToken by services account

I need to make a rest call to access account in google business, but I don't have an access_token. I just have the json of services account. My trouble is the next, how I can generate an access token ...
0
votes
0answers
20 views

Google Cloud Breakglass Role

I need to create a role for highly privileged access that can be provisioned rapidly and deprovisioned after x amount of time. My initial thought was to use the following to accomplish this: Have ...
0
votes
1answer
20 views

How do I make my GAE app publicly accessible?

I've got a GAE app that runs a publicly hosted dataset through a model via Flask, displaying the results. I successfully deployed it, and I can access & use it from the account that deployed it, ...
0
votes
1answer
38 views

What is the role which allows to use GCP APIs (such as Drive, Sheets, etc)?

I want to use Drive & Sheets API from Python3. I tried to create a service account in GCP console, but it said You already have credentials that are suitable for this purpose, without telling me ...
1
vote
1answer
94 views

How to restore permission when I am the admin of the project?

After mistakenly add myself to a wrong role, I am no longer able to access "IAM & admin". While trying to extract Big Query tables to Google Storage, I received the following error, bq ...
0
votes
1answer
13 views

How to give different IAM permission per realtime database on firebase?

Currently, we have an application in production using firebase. We have a project per environment: develop and production. I have seen that we can create multiple databases and we can have multiple ...
0
votes
2answers
91 views

Google Cloud BigQuery Admin service account gets “does not have bigquery.jobs.create permission”

I'm new to Google Cloud & BigQuery. I reviewed the dozen other questions that seem to be related and have not seen what I'm missing from those answers. I'm trying to query a public dataset. The ...
0
votes
1answer
37 views

is there a way to use your current credentials to assume a service account instead of having to use the json key?

My personal account is an admin in my gcp project. If I want to use one of the service accounts I have created (from my local laptop) I do this: gcloud auth activate-service-account --key-file=some-...
0
votes
2answers
60 views

How do permissions in a GCloud IAM role get implemented in a kubernetes cluster?

I am running a Kubernetes application on GKE. In the GCP IAM console, I can see several built-in roles, e.g. Kubernetes Engine Admin. Each role has an ID and permissions associated with it— for ...
0
votes
0answers
36 views

GCP Cloud SQL + Cloud Function security

I'm trying to automate deployment of GCP cloud sql and cloud functions deployment. Using nodejs sdk and pure REST. In order to let a cloud function access the Cloud SQL database I had to add an IAM ...
0
votes
1answer
77 views

Can't figure out OS Login IAM permissions

Can someone please help me understand which IAM permission I am still missing? I'm trying to enable OS Login on a single Compute VM, and have added enable-oslogin: TRUE. When I SSH through the UI, I ...
1
vote
1answer
37 views

Give object-based premissions in GCP IAM

Usecase : I have a GCP setup with : multiple Google Kubernetes Engine clusters multiple CloudSQL instances multiple GCS buckets Basically, I'd like to give permissions to users with finer ...
0
votes
1answer
29 views

Vault GCP Project Level Role Binding

I am trying to apply the role binding below to grant the Storage Admin Role to a GCP roleset in Vault. resource "//cloudresourcemanager.googleapis.com/projects/{project_id_number}" { roles = [ ...
11
votes
2answers
470 views

Kubernetes pods can't pull images from container registry (gcp)

I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not ...
0
votes
1answer
52 views

Unable to create key file for iam account GCP using gcloud

I am trying to create a key file for a service account on GCP with gcloud gcloud iam service-accounts keys create ~/.config/gcloud/key.json \ --iam-account terraform@$myproject.iam.gserviceaccount....
0
votes
1answer
40 views

Restrict gcloud service account to specific bucket

I have 2 buckets, prod and staging, and I have a service account. I want to restrict this account to only have access to the staging bucket. Now I saw on https://cloud.google.com/iam/docs/conditions-...
0
votes
2answers
38 views

Is it possible to inherit the “owner” role in GCP IAM?

Situation: I have a project which belongs to a GCP organization User A is "Organization Administrator" and (Project) "Owner" at organization level Problem: As expected, the user A is listed in the ...
0
votes
0answers
9 views

Issue to Authenticate Cloud Google Vision API

While generating the key.json getting error I am executing the below command gcloud iam service-accounts keys create ~/key.json --iam-account my-vision-sa@${GOOGLE_CLOUD_PROJECT}.iam....
2
votes
0answers
54 views

What is the Credential Implementation needed to Revoke refresh tokens using the Firebase Admin SDK

Question: What is the Credential Implementation needed to Revoke refresh tokens using the Firebase Admin SDK Scenario I have a cloud function that executes the following code: CloudFunctionCode: ...
0
votes
0answers
76 views

Workflow failed. Causes: There was a problem refreshing your credentials

I have a problem with dataflow, I need to execute a job and I get the following error: Workflow failed. Causes: There was a problem refreshing your credentials. Please check: 1. Dataflow API is ...
1
vote
1answer
42 views

Google Cloud Storage: With “Bucket Policy Only”, how do I make objects public but prevent listing?

I just tried the new "Bucket Policy Only" setting in a preexisting test bucket. I want to be able to anonymously download objects by URL, but prevent the public from listing objects in the bucket. If ...
1
vote
1answer
75 views

Authenticate Kubectl using Google IAM service account

I have got a Google Cloud IAM service account key file (in json format) that contains below data. { "type": "service_account", "project_id": "****", "private_key_id":"****", "private_key": "-----...
0
votes
2answers
236 views

What service account is my GKE cluster using to access GCR

I have several Google Kubernetes Engine clusters under one GCP project. I'm trying to understand which service account GKE is using in order to create pods, and specifically, I was facing some ...
0
votes
2answers
126 views

What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform

According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources. Does this mean that with the ...
0
votes
0answers
126 views

How to assign roles to a service account using deployment manager

had some trouble creating a service account and assigning roles to it. Initially I based my code on this example however I couldn't get it to work because while it does create the service account it ...
0
votes
1answer
57 views

API must be enabled for service account project

We have an issue with a service account 'defaulting' to the project where it was created when enabling APIs before creating resources. The SA was created under project A but it has Owner rights for ...
0
votes
1answer
30 views

Managing GCP quotas through an API

Is there any way to manage API / Service quotas (https://console.cloud.google.com/iam-admin/quotas) through an API?
0
votes
1answer
124 views

Sign Google Cloud Storage URLs with Google Compute Engine default service account

I'm trying to sign GCS URLs with the GCE default service account. I gave the compute default service account the necessary "Service Account Token Creator" role. When I try to sign a url in the ...
1
vote
1answer
172 views

GCP IAM - Policy inheritance/precedence

According to the documentation which says Child policies cannot restrict access granted at a higher level. For example, if you grant the Editor role to a user for a project, and grant the ...