I'm trying to follow these instructions, https://cloud.google.com/pubsub/docs/dead-letter-topics#assigning_the_publisher_role, to grant Pub/Sub permission to publish messages to a dead-letter queue, but I'm encountering a PERMISSION_DENIED error:
gcloud pubsub topics add-iam-policy-binding my-dead-letter-topic --member="serviceAccount:$PUBSUB_SERVICE_ACCOUNT" --role="roles/pubsub.publisher"
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) PERMISSION_DENIED: User not authorized to perform this action.
Helpfully, the Google Cloud console shows that I need the pubsub.topics.setIamPolicy permission:
My question is: how would I go about acquiring that permission? Would I have to be a project IAM admin (cf. You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy)?
Yes, exactly. You'll need to be assigned one of the roles that contains the resourcemanager.projects.setIamPolicy permission. As you pointed out, the answer to You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy outlines the different role options.
Project IAM Admin is recommended because it's the most specific role you can be granted to be able to set the IAM policy.
Related
In our existing customer portal using our own permission system, we can set an account "context" to an user with the permission to only able to action on any resources in certain accounts.
How do I do that in Keycloak?
I am a bit confused reading the roles, resources, policies and permissions, I tried reading this stackoverflow Resources, scopes, permissions and policies in keycloak but it doesn't seem to directly answer my question.
The installation of the NodeRED bluemix/IBM Cloud starter application fails with an IAM error message complaining about insufficient rights:
FAILED
Server error, status code: 502, error code: 10001, message: Service broker error: You do not have the required permission to create an instance. You must be assigned the IAM Editor role or higher. Contact the account owner to update your access.
Does anybody know how to fix this issue?
Looks like you don’t have proper IAM access permission. If you are the owner of the account, you can set the required permissions following the steps in this link .If you are not the owner ask the account owner for the permissions.
For best practices, refer this solution tutorial
The issue was actually related to the fact that the bluemix starter application tries to create a lite plan instance of cloudant. In my case, that was not possible because there already was such an instance and you are allowed only one per CF organization.
The solution was to patch the pipeline.yml to create a standard plan instance:
cf create-service cloudantNoSQLDB Standard "${CLOUDANT_NAME}"
I recently created a VM, but mistakenly gave the default service account Storage: Read Only permissions instead of the intended Read Write under "Identity & API access", so GCS write operations from the VM are now failing.
I realized my mistake, so following the advice in this answer, I stopped the VM, changed the scope to Read Write and started the VM. However, when I SSH in, I'm still getting 403 errors when trying to create buckets.
$ gsutil mb gs://some-random-bucket
Creating gs://some-random-bucket/...
AccessDeniedException: 403 Insufficient OAuth2 scope to perform this operation.
Acceptable scopes: https://www.googleapis.com/auth/cloud-platform
How can I fix this? I'm using the default service account, and don't have the IAM permissions to be able to create new ones.
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* (projectnum)-compute#developer.gserviceaccount.com
I will suggest you to try add the scope "cloud-platform" to the instance by running the gcloud command below
gcloud alpha compute instances set-scopes INSTANCE_NAME [--zone=ZONE]
[--scopes=[SCOPE,…] [--service-account=SERVICE_ACCOUNT
As a scopes put "https://www.googleapis.com/auth/cloud-platform" since it give Full access to all Google Cloud Platform resources.
Here is gcloud documentation
Try creating the Google Cloud Storage bucket with your user account.
Type gcloud auth login and access the link you are provided, once there, copy the code and paste it into the command line.
Then do gsutil mb gs://bucket-name.
The security model has 2 things at play, API Scopes and IAM permissions. Access is determined by the AND of them. So you need an acceptable scope and enough IAM privileges in order to do whatever action.
API Scopes are bound to the credentials. They are represented by a URL like, https://www.googleapis.com/auth/cloud-platform.
IAM permissions are bound to the identity. These are setup in the Cloud Console's IAM & admin > IAM section.
This means you can have 2 VMs with the default service account but both have different levels of access.
For simplicity you generally want to just set the IAM permissions and use the cloud-platform API auth scope.
To check if you have this setup go to the VM in cloud console and you'll see something like:
Cloud API access scopes
Allow full access to all Cloud APIs
When you SSH into the VM by default gcloud will be logged in as the service account on the VM. I'd discourage logging in as yourself otherwise you more or less break gcloud's configuration to read the default service account.
Once you have this setup you should be able to use gsutil properly.
I am admin for our AWS environment, and wanted to use PowerShell, but I get these errors whenever I try to do anything
Get-EC2Region : You are not authorized to perform this operation.
or
Get-CSDomain : User: arn:aws:iam::123456789012:user/Jane.Doe is not authorized to perform: cloudsearch:DescribeDomains on resource: arn:aws:cloudsearch:eu-west-1:123456789012:domain/*
In my personal AWS account, everything works fine. We had a look at our policies, and us four admins can all do everything using the webconsole.
I have regenerated my access keys just in case that might be it, but there was no change.
So I guess my questions is:Do we need to implement some CLI specific policies to allow access via PowerShell?
You need to make sure the user you are using the correct AWS user credentials and the correct IAM policy to allow the given user to do the operation.
There are no CLI specific policies to PowerShell. The user simply has not been granted those permissions.
A good test would be to grant the user ec2:* and cloudsearch:* and confirm. then you can tighten down the permissions, having confirmed that the user can be successfully given a more permissive set of permissions.
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.