I have a service account in gcloud that i am using to create a new topic and subscription to that topic in that order.
However i need to be able to assign the newly created subscription to the service account explicitly. In the UI this is done by going to
Pubsub > Subscription > Selecting the subscription and then clicking on "Search member" > Adding the service account.
However I want to automate this using the gcloud command.
So far I have been able to :
1) Activate a service account serviceAccountA
2) Create Topic
3) Create subscription to the Topic
While trying to use the following command to set iam policy on the service account so as to give pubsub.editor role to the service account.
gcloud iam service-accounts set-iam-policy serviceAccountA <json> file path>
Json file content is as below:
{
"bindings": [
{
"role": "roles/pubsub.editor",
"members": ["serviceAccountA"]
}
]
}
The above gcloud command results in the error:
ERROR: (serviceAccountA PERMISSION_DENIED: Not allowed to get project settings for project <id>
I am missing something. Is there an easy way to associate the subscription with a specific service account?
I suspect the problem is that the service account you've activated doesn't have permissions to give itself permissions. Try setting this with a gcloud account that has edit permissions for the project. You can set the current account with gcloud auth login or gcloud config configurations activate <your_config>.
Related
I want to create a user via gcloud tools in terminal not using the user interface.
I can create a service account using gcloud tools like this: gcloud iam service-accounts create my-service-account --display-name="My Service Account" and give it permissions like this gcloud projects add-iam-policy-binding project-name --member="serviceAccount:my-service-account#project-name.iam.gserviceaccount.com" --role="roles/editor"
I can't find the way to do this for a user instead of a service account. The closest I could find was to run: gcloud projects add-iam-policy-binding my-project --member="user:person#gmail.com" --role="roles/editor" which results in the error ERROR: Policy modification failed because the user does not exist. If I create the user manually in the user interface then adding roles works.
How do I create the user via gcloud? This is what it looks like in the user interface..
Turns out gcloud projects add-iam-policy-binding my-project --member="user:person#gmail.com" --role="roles/editor" does 'add' the user.
Re: Kolban's comment. There might be a misunderstanding since I don't want to create a gmail user I just want to do the equivalent of adding them (+ADD button above) and type into the "new principals" textbox and add a role. Above code works.
The Add Button in the permissions pages (IAM) does not result in the creation of a new user (i.e. it does not ADD a user). Instead, what the add means is that we are adding permissions to the authority of the user. Clicking add allows us to name an existing identity and also the role we wish to add to the user.
The equivalent gcloud command would be gcloud projects add-iam-policy-binding that is currently documented in the GCP documentation here.
I have the following script I'd like to execute to create my service account and give it a Cloud Build Service Account role.
# create service account for github actions
gcloud iam service-accounts create github-actions --display-name="Github Actions"
# add iam permissions to github actions service account
gcloud iam service-accounts add-iam-policy-binding github-actions#project-id.iam.gserviceaccount.com --member='serviceAccount:github-actions#project-id.iam.gserviceaccount.com' --role='roles/cloudbuild.builds.builder'
The execution fails on the last command with
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.builder is not supported for this resource.
I don't know what that means or better said what I can do to solve that. I need that service account to have that role so I can start Cloud Build through my Github Actions pipeline with that service account.
This can be confusing. Service Accounts have a "dual nature". They can be treated as resources and identities just not at the same time. See Managing Service Accounts
You're attempting to grant a Service Account (github-actions#project-id.iam.gserviceaccount.com) an IAM binding. In this case, the Service Account is a resource. The binding you're attempting to make references the same Service Account (github-actions#project-id.iam.gserviceaccount.com), this time as an identity. This is not possible.
You possibly (!?) want to grant the binding (as it is) to the project (!) not the Service Account:
PROJECT=[[YOUR-PROJECT]]
ACCOUNT=github-actions
EMAIL="${ACCOUNT}#${PROJECT}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member="serviceAccount:${EMAIL}" \
--role='roles/cloudbuild.builds.builder'
But, please ensure that is your intent before issuing that command.
I want to create a service account on GCP using a python script calling the REST API and then give it specific roles - ideally some of these, such as roles/logging.logWriter.
First I make a request to create the account which works fine and I can see the account in Console/IAM.
Second I want to give it the role and this seems like the right method. However, it is not accepting roles/logging.logWriter, saying HttpError 400, "Role roles/logging.logWriter is not supported for this resource.">
Conversely, if I set the desired policy in console, then try the getIamPolicy method (using the gcloud tool), all I get back is response etag: ACAB, no mention of the actual role I set. Hence I think these roles refer to different things.
Any idea how to go about scripting a role/scope for a service account using the API?
You can grant permissions to a GCP service account in a GCP project without having to rewrite the entire project policy!
Use the gcloud projects add-iam-policy-binding ... command for that (docs).
For example, given the environment variables GCP_PROJECT_ID and GCP_SVC_ACC the following command grants all privileges in the container.admin role to the chosen service account:
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member=serviceAccount:${GCP_SVC_ACC} \
--role=roles/container.admin
To review what you've done:
$ gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:${GCP_SVC_ACC}"
Output:
ROLE
roles/container.admin
(or more roles, if those were granted before)
Notes:
The environment variable GCP_SVC_ACC is expected to contain the email notation for the service account.
Kudos to this answer for the nicely formatted readout.
You appear to be trying to set a role on the service account (as a resource). That's for setting who can use the service account.
If you want to give the service account (as an identity) a particular role on the project and its resources, see this method: https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy
I am trying to setup a Gcloud Auth Login for an account on a server that will cover all users.
i.e.
I login using an administrator account and issue the command..
e.g.
gcloud auth login auser#anemail.com
go through the steps required and when I issue the issue the Gcloud Auth List command I get the right result.
But other users cannot see it.
i.e. we use sap data services that use a proxy account on the server when it is running
e.g.
proxyaccount#mail.com
but that user cannot see the the authorized user I authorized using the administrator account.
I get error "you do not currently have an active account selected"
The "other" accounts do not have administration access nor do we want them to, and besides I don't want to have to go through this process for each and every account that connects to the server.
Ian
Each user gets its own gcloud configuration folder. You can see which configuration folder is used by gcloud by running gcloud info.
Note that if your server is a VM on GCP you do not need to configure credentials as they are obtained from metadata server for the VM.
Sharing user credentials is not a good practice. If you need to do this your users can set CLOUDSDK_CONFIG environment variable to point to one shared configuration folder. Also you should at least use service account for this purpose and activate it via gcloud auth activate-service-account instead of using credentials obtained via gcloud auth login.
For every Google Compute instance, there is a default service account like this:
1234567890123-compute#developer.gserviceaccount.com
I can create my instance with the proper scope (i.e. https://www.googleapis.com/auth/devstorage.full_control) and use this account to make API requests.
On this page: https://cloud.google.com/storage/docs/authentication#service_accounts it says:
Every project has a service account associated with it, which may be used for authentication and to enable advanced features such as Signed URLs and browser uploads using POST.
This implies that I can use this service account to created Signed URLs. However, I have no idea how to create a signed URL with this service account since I can't seem to get the private key (.p12 file) associated with this account.
I can create a new, separate service account from the developer console, and that has the option of downloading a .p12 file for signing, but the project level service accounts do not appear under the "APIs and auth / Credentials" section. I can see them under "Project / Permissions", but I can't do anything with them there.
Am I missing some other way to retrieve the private key for these default accounts, or is there no way to sign urls when using them?
You can use p12 key of any of your service account while you're authenticated through your main account or a GCE service account or other services accounts that have appropriate permissions on the bucket and the file.
In this case, just create a service account download p12 key and use the following command to sign your URL:
$ gsutil signurl -d 10m privatekey.p12 gs://bucket/foo
Though you can authenticate using different service account using the following command:
gcloud auth activate-service-account service-account-email --key-file key.p12
You can list and switch your accounts using these commands:
$ gcloud auth list
$ gcloud config set account