2

Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.

To be more specific, when the user is in their project and they go to "APIs and Services" > Credentials, on this page the user receives this error:

You don't have permission to view API keys, OAuth clients, and service account keys.

I'm pretty new to GCP so I may be missing something simple. Not sure what info would be helpful, but I'll provide the services used and the IAM roles set up for the user.

Services:

1.App Engine

2.DataStore

3.Functions

4.Source Repositories

Roles/Permissions:

1.App Engine Admin

2.Cloud Functions Developer

3.Cloud Datastore Owner

4.Service Account Admin

5.Source Repository Administrator

6.Storage Admin

Thanks.

Eranda Peiris
  • 148
  • 1
  • 7
Bryce
  • 21
  • 1
  • 1
  • 2

2 Answers2

2

So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.

I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:

"Custom API"

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • serviceusage.apiKeys.create
  • serviceusage.apiKeys.delete
  • serviceusage.apiKeys.get
  • serviceusage.apiKeys.getProjectForKey
  • serviceusage.apiKeys.list
  • serviceusage.apiKeys.regenerate
  • serviceusage.apiKeys.revert
  • serviceusage.apiKeys.update

"Custom Client Auth"

  • clientauthconfig.brands.create
  • clientauthconfig.brands.delete
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.createSecret
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.listWithSecrets
  • clientauthconfig.clients.undelete
  • clientauthconfig.clients.update

*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.

Bryce
  • 21
  • 1
  • Any update on this issue? In Sept 2019 (Today) I am facing the same issue. At the same time I do not feel right adding all the perms on the above issue. – Ace Sep 11 '19 at 04:11
0

I recently ran into this issue, and found adding the following permissions to a user account should work:

  • Browser
  • Create Service Accounts
  • Service Account Token Creator
  • Custom role with the below as suggested by 1bryce

"Custom Client Auth"

  • clientauthconfig.brands.create clientauthconfig.brands.delete
  • clientauthconfig.brands.get clientauthconfig.brands.list
  • clientauthconfig.brands.update clientauthconfig.clients.create
  • clientauthconfig.clients.createSecret clientauthconfig.clients.delete
  • clientauthconfig.clients.get clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.listWithSecrets
  • clientauthconfig.clients.undelete clientauthconfig.clients.update

Note some further tinkering you maybe able to get this down to less permissions.

phippsy20
  • 1
  • 1