I am trying to get list of all the IAM users having access to a particular bucket with the below command:
gsutil iam get gs://<bucket_name>
I am getting output with only legacy roles:
{
"bindings": [
{
"members": [
"projectEditor:PROJECT_ID",
"projectOwner:PROJECT_ID"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:PROJECT_ID"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"projectEditor:PROJECT_ID",
"projectOwner:PROJECT_ID"
],
"role": "roles/storage.legacyObjectOwner"
},
{
"members": [
"projectViewer:PROJECT_ID"
],
"role": "roles/storage.legacyObjectReader"
}
],
"etag": "CAE="
}
However, I do have additional users and service accounts that have access to this bucket. How do I get list of all the users and service accounts having access to the bucket?
P.S: All the permissions over the bucket to different users are provided through IAM only.
Looks like policy analyzer tool provides the required information.
https://cloud.google.com/asset-inventory/docs/analyzing-iam-policy
Code sample: https://github.com/googleapis/python-asset/blob/dd28cb0dd897d9386c45a4ec4d4ce8090d986052/samples/snippets/quickstart_analyzeiampolicy.py
However, the question is why
gsutil iam get gs://BUCKET
is not returning all the roles and members that have access to bucket? Is there any additional flag or configuration that needs to be passed to the above command.
Related
I'm having a problem when assigning already existing realm roles when creating a user.
Following the documentation when creating a new user POST /{realm}/users, in the body parameter using the UserRepresentation, we have field called realmRoles which is optional.
I already tried to assign in the follow Schemas:
[
{
"id": "123asd-3223r-wer23rwer-werwer",
"name": "name-of-role-1"
},
{
"id": "23wedf-wefwcs-dfsdf-sdf",
"name": "name-of-role-2"
}
]
[
{
"id": "123asd-3223r-wer23rwer-werwer",
},
{
"id": "23wedf-wefwcs-dfsdf-sdf",
}
]
[ "123asd-3223r-wer23rwer-werwer","23wedf-wefwcs-dfsdf-sdf"]
[ "name-of-role-1","name-of-role-2"]
No of the above work. Either they are ignore, or I get an unknown error.
You needs to use user's role mapping API instead of user API
POST {keycloak URL}/admin/realms/{my_realm}/users/{user-id}/role-mappings/realm
body of POST
[
{
"id": {realm_role_id},
"name": {realm_role_name},
"composite": false,
"clientRole": false,
"containerId": {my_realm_id}
}
]
Detail information is official Admin API at Add realm-level role mappings to the user section.
Demo by Postman
1 Get master access token, assign token environment variable
here is more detail how to get master token
2 Get Users list by #1 token
3 Get user with #2 {user id}
4 Get Realm ID with #1 token
5 Get realm's roles list
6 Set user's realm role mapping with #5's realm role
In the body, use array format - it means can assign with multiple realm roles
POST URL
http://localhost:8180/auth/admin/realms/test/users/f3d78ca2-7bab-4aed-b1a4-8b98bf1be000/role-mappings/realm
containerId is #4's {realm_id}
id is #5 {role_id}
[
{
"id": "b73643c4-5375-4f9d-b6d5-65dc7c719c68",
"name": "name-of-role-2",
"composite": false,
"clientRole": false,
"containerId": "a6d347b4-3fe8-4410-bda6-54dbf8e50903"
}
]
Return status should be 204 No Content.
If not, something thing wrong.
Finally, you can confirm that realm role assigned result.
If you want to confirm by API
GET API
http://localhost:8180/auth/admin/realms/test/users/f3d78ca2-7bab-4aed-b1a4-8b98bf1be000/role-mappings/realm
So, the default is that my logged user from the access token is whom has admin permissions but I don't know how to make any member an admin.
This is the body that I'm using from the documentation.
{
"name": "Test Group",
"welcomeMessage": "Welcome to group created programmatically",
"members": [
"{{mobile-number-3}}"
],
"memberUserIds": [
"{{loggedin-user-id}}"
],
"groupType": "Group",
"GroupPhoto": "",
"BackgroundPhoto": "",
"ShortDescriptionString": "Short description",
"LongDescriptionString": "Long description"
}
Even though there is no documentation of it, a simple PUT on endpoint https://{endpoint-url}/v1/groups/{group-id}/{member-id} with a JSON payload of { "role": "Admin" } works for me
You can also use the following API with JSON payload of { "role": "Admin" }.
{{endpoint-url}}/v1/groups/{{group-id}}/members/{{member-id}}
The "members" keyword is important here and it worked for me like this. Also, you can grant admin permissions only for group members. Otherwise, you will get an error from API.
I'm using App ID and I follow this tuts https://cloud.ibm.com/docs/services/appid?topic=appid-tutorial-roles for my personal project.
I tried to call API {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/users with body:
"idp": "cloud_directory",
"idp-identity": "huynhdn#gmail.com",
"profile": {
"attributes": {
"role": "MANAGER"
}
}
}
I get Future User in User Profiles! => OK
Next, I call {{APPID_MANAGEMENT_SERVER_HOST}}/management/v4/{{APPID_TENANT_ID}}/cloud_directory/Users to set password for this user.
"displayName": "Test User",
"password": "abcd1234",
"emails": [
{
"value": "huynhdn#gmail.com",
"primary": true
}
]
}
Finally, I call {{APPID_AUTH_SERVER_HOST}}/oauth/v4/{{APPID_TENANT_ID}}/token to get token with user created above! But when i check in app id, attribute "role" is gone :(
WHY? or Anyone can help me another way to create user has "username", "password", "attribute" with API management!
The doc page you're referencing above states that in order to get future user attribute the user must validate ownership over email. You can either do it through standard means, or manually specifying status:confirmed when creating your CLoud Dir user, e.g.
{
"displayName": "John Smith",
"password": "p4ssw0rd",
"emails": [
{
"value": "john#example.com",
"primary": true
}
],
"status":"CONFIRMED"
}```
In my Actions on Google project, I save some data (like an uuivd userId) between conversations using conv.user.storage. With my own testing account, this works fine. On another testing account, the user.storage is cleared and the data is lost. The accounts have these differences:
A Google Home is connected to the account where user storage DOES works and voice match is set up, personal results is enabled.
NO Google Home is connected to the account where user storage DOESN'T work, no voice match is set up, personal results isn't an option since no device other than iPhone is connected. This account is used on smartphone (iPhone) only.
I know the user storage will be cleared when:
Voice match is set up and there is no match.
The user disabled personal data.
But this isn't the case for either accounts. I know the user is recognized as the same account because of the lastSeen and because the userId between conversations remains the same, as can be seen in the Conv object:
at the end of the conversation:
"user": {
"raw": {
"userStorage": "{\"data\":{\"userId\":\"f581e751-ad81-4a6b-9519-00a57d5e30d4\"}}",
"lastSeen": "2019-03-13T11:58:39Z",
"locale": "nl-NL",
"userId": "ABwppHEOonglGmWakeizd_Stx_OpUhSNzx2K4JWETc73FW-KctZLM2vc4B7V6Fxk9OfL3RQ3n5jIgw"
},
"storage": {
"userId": "f581e751-ad81-4a6b-9519-00a57d5e30d4"
},
"_id": "ABwppHEOonglGmWakeizd_Stx_OpUhSNzx2K4JWETc73FW-KctZLM2vc4B7V6Fxk9OfL3RQ3n5jIgw",
"locale": "nl-NL",
"permissions": [],
"last": {
"seen": "2019-03-13T11:58:39.000Z"
},
"name": {},
"entitlements": [],
"access": {},
"profile": {}
},
at the beginning of a new conversation:
"user": {
"raw": {
"lastSeen": "2019-03-13T11:59:33Z",
"locale": "nl-NL",
"userId": "ABwppHEOonglGmWakeizd_Stx_OpUhSNzx2K4JWETc73FW-KctZLM2vc4B7V6Fxk9OfL3RQ3n5jIgw"
},
"storage": {},
"_id": "ABwppHEOonglGmWakeizd_Stx_OpUhSNzx2K4JWETc73FW-KctZLM2vc4B7V6Fxk9OfL3RQ3n5jIgw",
"locale": "nl-NL",
"permissions": [],
"last": {
"seen": "2019-03-13T11:59:33.000Z"
},
"name": {},
"entitlements": [],
"access": {},
"profile": {}
},
Does anyone know any other reason why user.storage might be cleared other than the ones stated above, or another way without using account linking?
I think I figured it out. In https://myaccount.google.com/u/3/activitycontrols?utm_source=google-account&utm_medium=web I forgot to toggle the Chrome-history and activity option.
I have a workplace application,
I wish to change emailIds of the user via API,
I found that Account Management API
can be used to modify user details via API calls.
My use-case is to modify user email via the Account Management API, which comes under urn:scim:schemas:core:1.0 schema extension,
I wish to overwrite the existing email with the one I would specify in the requestBody,
From the documentation, I've come up with the following request -
Url endpoint -
https://someCompanyName.facebook.com/scim/v1/Users/ HTTP/1.1
Method type -
POST
Request body-
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:facebook:auth_method:1.0"
],
"userName": "abc",
"name": {
"formatted": "Julius Caesar"
},
"emails": ["abc#gmail.com"],
"urn:scim:schemas:extension:facebook:auth_method:1.0": {
"auth_method": "password"
}
}
Is it correct? What modifications do I need to make to the request?
in order to change the emails of a user you have to do a PUT request to the address https://www.facebook.com/scim/v1/Users/{userId}
and you have to change in your payload the email address:
{
"schemas": [
"urn:scim:schemas:core:1.0",
"urn:scim:schemas:extension:facebook:auth_method:1.0"
],
"userName": "abc",
"name": {
"formatted": "Julius Caesar"
},
"emails": [
{
"primary": true,
"type": "work",
"value": "newemail#gmail.com"
}
],
"urn:scim:schemas:extension:facebook:auth_method:1.0": {
"auth_method": "password"
}
}
Hope it helps