GCloud SDK failing to parse Policy File (JSON) - gcloud

Feel like I'm missing something obvious here but I can't spot it.
I'm trying to apply an IAM Policy using JSON however gcloud seems to always try and interpret the policy file as YAML.
I've tested this with a YAML equivalent and it works. The policy.json file I'm sure is correct, I used gcloud projects get-iam-policy ${proj} to create it.
As far as I can tell I've followed the documentation for this correctly, there doesn't seem to be an extra flag or option to supply for it to read the policy as JSON.
Command:
gcloud projects set-iam-policy ${proj} policy.json
Error:
ERROR: (gcloud.projects.set-iam-policy) Failed to parse YAML from [policy.json]: while scanning for the next token found character '\t' that cannot start any token
in "policy.json", line 3, column 1
GCloud SDK Version: 228.0.0

The get-iam-policy output is in YAML format by default. To ensure you have the correct output, try the following command:
gcloud projects get-iam-policy your-project --format=json >> policy.json
This will write the output formatted to JSON in a policy.json file.

Related

gcloud transfer jobs does not recognize my azure credentials file

Whenever I try to use the gcloud transfer cli to create a transfer job from an azure blob container to a google cloud storage bucket, I am being thrown the following error :
ERROR: gcloud crashed (ValueError): Source creds file must be JSON or INI format.
the file in the json path I fill in looks like this :
{"sasToken": "working_token"}
and I also tried this
{
"sasToken": "working_token"
}
As it's stated here but none of them actually works.
I also tried to put the content of the file in the --source-creds-file option but it says this is not a path to a file, which is true.
When using the console to create the same job, it just works, so has anyone got the cli to work? Any idea?
Thanks in advance

Error in Google Cloud Shell Commands while working on the lab (Securing Google Cloud with CFT Scorecard)

I am working in a GCP lab (Securing Google Cloud with CFT Scorecard). All instructions for the lab are given.
First I have to run the following two commands to set environment variables
export GOOGLE_PROJECT=$DEVSHELL_PROJECT_ID
export CAI_BUCKET_NAME=cai-$GOOGLE_PROJECT
In the second command given above I don't know what to replace with my own credentials? May be that is the reason I am getting error.
Now I have to enable the "cloudasset.googleapis.com" gcloud service. For this they gave the following command.
gcloud services enable cloudasset.googleapis.com \
--project $GOOGLE_PROJECT
Error for this is given in the screeshot attached herewith:
Error in the serviec enabling command
Next step is to clone the policy: The given command for that is:
git clone https://github.com/forseti-security/policy-library.git
After that they said: "You realize Policy Library enforces policies that are located in the policy-library/policies/constraints folder, in which case you can copy a sample policy from the samples directory into the constraints directory".
and gave this command:
cp policy-library/samples/storage_blacklist_public.yaml policy-library/policies/constraints/
On running this command I received this:
error on running the directory command
Finally they said "Create the bucket that will hold the data that Cloud Asset Inventory (CAI) will export" and gave the following command:
gsutil mb -l us-central1 -p $GOOGLE_PROJECT gs://$CAI_BUCKET_NAME
I am confused in where to replace my own credentials like in the place of project_Id I wrote my own project id.
Also I don't know these errors are ocurring. Kindly help me.
I'm unable to access the tutorial.
What happens if you run the following:
echo ${DEVSHELL_PROJECT_ID}
I suspect you'll get an empty result because I think this environment variable isn't actually set.
I think it should be:
echo ${DEVSHELL_GCLOUD_CONFIG}
Does that return a result?
If so, perhaps try using that variable instead:
export GOOGLE_PROJECT=${DEVSHELL_GCLOUD_CONFIG}
export CAI_BUCKET_NAME=cai-${GOOGLE_PROJECT}
It's not entirely clear to me why this tutorial is using this approach but, if the above works, it may get you further along.
We're you asked to create a Google Cloud Platform project?
As per the shared error, this seems to be because your env variable GOOGLE_PROJECT is not set. You can verify it by using echo $GOOGLE_PROJECT and seeing whether it returns the project ID or not. You could also use echo $DEVSHELL_PROJECT_ID. If that returns the project ID and the former doesn't, it means that you didn't export the variable as stated at the beginning.
If the problem is that GOOGLE_PROJECT doesn't have any value, there are different approaches on how to solve it.
Set the env variable as you explained at the beginning. Obviously this will only work if the variable DEVSHELL_PROJECT_ID is also set.
export GOOGLE_PROJECT=$DEVSHELL_PROJECT_ID
Manually set the project ID into that variable. This is far from ideal because in Qwiklabs they create a new temporal project on every lab, so this would've only worked if you were still on that project. The project ID can be seen on both of your shared screenshots.
export GOOGLE_PROJECT=qwiklabs-gcp-03-c6e1787dc09e
Avoid using the argument --project. According to the documentation, the aforementioned argument is optional and if none is used the command will take the one by default, which will be on the configuration settings. You can get the current project by using this:
gcloud config get-value project
If the previous command matches the project ID you want to use, you can simply issue the following command:
gcloud services enable cloudasset.googleapis.com
Notice that the project ID is not being explicitly mentioned using --project.
Regarding your issue with the GitHub file, I have checked the repository and the file storage_blacklist_public.yaml doesn't seem to be in the directory policy-library/samples. There seems to be a trace that it was once there, but it isn't anymore, they should probably update the lab as it isn't anymore.
About your credentials confusion, you don't have to use your own project ID, just the one given on your lab. If I recall properly all the needed data should be on the left side of the lab. Still, you shouldn't need to authenticate in a normal situation as you are already logged in your temporal project if you are accessing it form the Cloud Shell, which is where you should be doing all this.
Adding this for the later versions
in the gcloud shell you can set a temp variable for the current project id with
PROJECT_ID="$(gcloud config get-value project)"
then use like
--project ${PROJECT_ID}

Grant permissions to the service account error

Following step by step the example at,
https://cloud.google.com/text-to-speech/docs/reference/libraries#client-libraries-usage-python
on Step2, I get the following error.
D:\google-api-python\py>gcloud projects add-iam-policy-binding [my-project-for-tts] --member "serviceAccount:[tts-python-1]#[my-project-for-tts].iam.gserviceaccount.com" --role "roles/owner"
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
What argument seems to be invalid here?
My intention is to use the Text-to-Speech services by loading a custom input text file and save the output in my local disk. I installed successfully google-sdk and python.
It seems like the square brackets are the invalid argument here. Using my own service account and running your command I get the same error, but removing the the [] runs fine.
If you remove the [] then the command will work fine.
As per the Google Documentation, you need = to provide member and role value. Your command should look like below:
gcloud projects add-iam-policy-binding my-project-for-tts --member='serviceAccount:tts-python-1#my-project-for-tts.iam.gserviceaccount.com' --role='roles/owner'
Also, make sure you are using the latest gcloud package.

gcloud command to check if project exists

Is there a command for this? I can do
gcloud projects describe my-project
...and check for an error. But that's not specific to not-found errors. I thought to check the exit code, and I do see that there are some different error codes:
$ gcloud projects describe some-nonexistent-project-foo; echo $?
130
$ gcloud projecx typo typo; echo $?
2
...but without any documentation, I don't want to trust that 130 specifically means not found. Could mean any server error for all I know.
So, is there any way to check for existence? Another command?
Ultimately I'm doing this because I want to create a project if it doesn't exist. So if there's another way to do that (again, without ignoring legitimate errors), then I don't care as much about checking for existence.
Try gcloud projects list to see all projects. To check for one project, do gcloud projects list --filter my-project. For a full list of other possible arguments and commands, see the documentation, which is very good.

Creating Kubernetes Endpoint in VSTS generates error

What setting up a new Kubernetes endpoint and clicking "Verify Connection" the error message:
"The Kubconfig does not contain user field. Please check the kubeconfig. " - is always displayed.
Have tried multiple ways of outputting the config file to no avail. I've also copy and pasted many sample config files from the web and all end up with the same issue. Anyone been successful in creating a new endpoint?
This is followed by TsuyoshiUshio/KubernetesTask issue 35
I try to reproduce, however, I can't do it.
I'm not sure, however, I can guess it might the mismatch of the version of the cluster/kubectl which you download by the download task/kubeconfig.
Workaround might be like this:
kubectl version in your local machine and check the current server/client version
specify the same version as the server on the download task. (by default it is 1.5.2)
See the log of your release pipeline which is fail, you can see which kubectl command has been executed, do the same thing on your local machine with fitting your local pc's environment.
The point is, before go to the VSTS, download the kubectl by yourself.
Then, put the kubeconfg on the default folder like ~/.kube/config or set environment variables KUBECONFIG to the binary.
Then execute kubectl get nodes and make sure if it works.
My kubeconfig is different format with yours. If you use AKS, az aks install-cli command and az aks get-credentials command.
Please refer https://learn.microsoft.com/en-us/azure/aks/kubernetes-walkthrough .
If it works locally, the config file must work on the VSTS task environment. (or this task or VSTS has a bug)
I had the same problem on VSTS.
Here is my workaround to get a Service Connection working (in my case to GCloud):
Switched Authentication to "Service Account"
Run the two commands told by the info icon next to the fields Token and Certificate: "Token to authenticate against Kubernetes.
Use the ‘kubectl get serviceaccounts -o yaml’ and ‘kubectl get secret
-o yaml’ commands to get the token."
kubectl get secret -o yaml > kubectl-secret.yaml
Search inside the the file kubectl-secret.yaml the values ca.crt and token
Enter the values inside VSTS to the required fields
The generated config I was using had a duplicate line, removing this corrected the issue for me.
users:
- name: cluster_stuff_here
- name: cluster_stuff_here