The new Firebase cross-service Security Rules that help validate Firestore docs mentioned in https://firebase.blog/posts/2022/09/announcing-cross-service-security-rules seem great but I am not able to get the Rules console to ask for the permission. There is no error in building the Rules page, but there is an error because of insufficient permission any time I use the firestore.get() feature in the rules when fetching the images. Additionally, my IAM page does not have the correct role listed in https://firebase.google.com/docs/rules/manage-deploy#manage_permissions_for_cross-service and I am not able to find the Role "Firebase Rules Firestore Service Agent" to add it manually.
Anyone run into this yet?
From rules in Firebase storage console
match /projects/{projectId} {
allow read: if true;
allow write: if firestore.get(/databases/(default)/documents/projects/$(projectId)).data.owner == request.auth.uid
}
From Google Cloud IAM
Firebaser here
There was an issue with the rollout of this feature in the Firebase console that we've just fixed (thanks for catching this!) Please try deploying your Rules again -- you should be prompted to configure the project as expected.
For anyone else experiencing issues, the notes in the comments on the question do apply -- you can deploy cross-service rules from the CLI as well.
Related
I'm trying to configure Grafana to authenticate using Github, but only for members of a certain team. I've configured the documentation, but Github returns an empty list when Grafana tries to fetch the users teams.
logger=oauth.github t=2022-05-22T13:23:16.6+0000 lvl=dbug msg="HTTP GET" url="https://api.github.com/user/teams?per_page=100" status="200 OK" response_body=[]
I've configured Grafana to use the user:email,read:org scopes according to the documentation.
I figured I might have to add some permissions to the GitHub app I created, but I can't find any permission that grants access to the user/teams endpoint requested by Grafana.
What am I missing?
Just figured it out...
I had created a GitHub App, not a GitHub OAuth App.
The devil is in the details
I implemented the Huawei's Cloud DB and Auth Service into my project. After i create my Cloud DB Zone and Object Types i tried to use the executeUpsert() function of Cloud DB. But i got an error message that says "Permission Denied". Program executes all database operations after user authenticated. And authenticated users has permission to update the table. I don't know how to solve this permission problem. Does anyone have opinion?
Error Message;
I talked to some employees who are authorized in Huawei's Cloud DB and they helped me to find the cause of the problem. When i was getting the error, as you see in the screenshot below, the instance when user gets authentication and the instance when i initialize the AGConnectCloudDB were different.
after i defined the instance object globally and use the same instance when i am getting the auth and also initializing the AGConnectCloudDB object as you see in the below picture, the problem is solved!
Even though you implemented Huawei's Cloud DB and Auth Service into your project, there are still cases that can cause the “permission denied” error. https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-Guides/agc-clouddb-error-code-0000001117436042
Please check the following areas in your project to rule out the causes.
If in the log, you see auth error as well, please check:
If the above are all cleared out and the issue is still there, please provide more details for further troubleshooting.
I'm trying to use terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster module of version "~> 7.3" to create a cluster in region europe-west2. But I keep getting error:
Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get'
permission for 'projects/***/regions/europe-west2'., forbidden
The weird thing is that I'm trying to do that using user with Editor role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same.
Could you please advice, where can be my mistake?
Please check if your [id]#cloudservices.gserviceaccount.com service account has the editor role.
List all service accounts with gcloud projects get-iam-policy [project-id] command and look for the account. it should look similar to this:
- members:
- serviceAccount:67993345594-compute#developer.gserviceaccount.com
- serviceAccount:679934532594#cloudservices.gserviceaccount.com
- serviceAccount:service-674567382594#containerregistry.iam.gserviceaccount.com
- serviceAccount:test2-468#asdf.iam.gserviceaccount.com
- serviceAccount:asdf#appspot.gserviceaccount.com
role: roles/editor
Second from the top is the account you're looking for and the bottom line says "roles/editor" which is the correct situation.
If this account doesn't have this role you can grant it using command:
gcloud projects add-iam-policy-binding [project] /
--member serviceAccount:[id]#cloudservices.gserviceaccount.com --role roles/editor
It's all described in the documentation.
Very similar issues were discussed on StackOverflow here and here.
I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,
serviceAccount:service-${project-number}#compute-system.iam.gserviceaccount.com must be roles/compute.serviceAgent.
serviceAccount:service-${project-number}#container-engine-robot.iam.gserviceaccount.com must be roles/compute.serviceAgent.
To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.
I had the same problem after switching account in gcloud.
I solve it by running
gcloud auth application-default login
It sets application default credentials for Packer/Terraform to call Google APIs.
source: https://cloud.google.com/sdk/gcloud/reference/auth/application-default
I implemented a few tasks with BashOperator. Ones with "gsutil rm" and "gsutil cp" worked fine. But one with "gcloud alpha firestore export" generates this error:
{bash_operator.py:101} INFO - ERROR: (gcloud.alpha.firestore.export) PERMISSION_DENIED: The caller does not have permission
This command itself works fine in gcloud shell. I tried to give some Firestore related permissions to the service account used by the Composer but it still doesn't work. Any idea
It might be that you don't have permissions for a particular project.
The error I was getting was: PERMISSION_DENIED: Caller does not have required permission to use project project:random-id-11111.
The way I resolved it was by running gcloud config set project 'the-right-project-id' and then the actual gcloud command.
I think you need Cloud Datastore Import Export access. Following are the steps as per current Current Google Cloud platform layout.
https://console.cloud.google.com > Left drawer > IAM & admin > Against user - Edit Icon > Add another role > Data Store > Cloud Datastore Import & Export > Save
Try creating a new service account with the Firestore-related permissions needed and using that on a freshly created environment. https://cloud.google.com/composer/docs/how-to/access-control
Other debugging ideas: * Try ssh-ing into the Kubernetes workers on your Composer environment and running the command. *Is the Firestore API enabled on your project?
Open https://console.cloud.google.com/iam-admin/iam
Find the service account you're using for the backups
Add the Owner role to the service account
It's not really intuitive or logic because there are not permissions or roles for Firestore.
Unfortunately it took me way to long to figure it out. I hope it helps others!
Similar to Roy's answer, the issue for me was that gcloud was set to a different project.
check which project it is set to
gcloud config list
list which projects you have access to
gcloud projects list
set the correct project
gcloud config set project 'foo-project'
Grant firebase admin role to the default service account that your service is using.
Adding Owner role to the service account seems too much privilege for just taking backup.
In IAM & Admin make sure your #appspot.gserviceaccount.com must have access for 3 things:
Cloud Functions Admin
Cloud Datastore Import Export Admin
Storage Admin
you need to set your project first where you are owner
gcloud config set project project-id
You can find your project id by clicking on gcloud console it will be there in popup in project-name-somerandomnumbers
I got caught out on this today. The issue was that I had set up my service account correctly in the IAM settings, but hadn't realised an invitation had been sent to that email address which I needed to accept. Worked immediately once I accepted the invite.
I have been trying to create a Kubernetes Cluster with my Bluemix account owner but always getting the following error upon creation:
IBM Cloud Infrastructure exception: Your account is currently prohibited from order 'Computing Instances'.
Any idea what the issue is? There seems to be no direct way to getting support from Public Bluemix to address this issue. We opened a ticket but it has not been addressed.
You should contact IBM Bluemix Support for this kind of question. Before you login to the Bluemix Console, there is a Support link.
From the look of the exception. It seen like you are trying to create a "second" kubernetes cluster. If this is what you are trying to do, you will need a SoftLayer account; or your ID in your SoftLayer account is not setup properly.
You need admin rights to create clusters in Bluemix. Just makes sure that you get the admin status and it should work for you. The normal permissions granted to you are that of an user. Hope this helps