1

I used the below command to Authenticate in MAC OS terminal

gcloud auth login

It redirects to the google login page and show the authentication process successful.

While using the command

gsutil -i fetebird-storage@fetebird.iam.gserviceaccount.com ls

Getting an exception as

AccessDeniedException: Service account impersonation failed. Please go to the Google Cloud Platform Console (https://cloud.google.com/console), select IAM & admin, then Service Accounts, and grant your originating account the Service Account Token Creator role on the target service account.

However, on the cloud I do have given the permission as shown below

enter image description here

enter image description here

Auth List

enter image description here

San Jaisy
  • 15,327
  • 34
  • 171
  • 290
  • Linked to the other question. Can you perform a `gcloud config list` and paste the result? – guillaume blaquiere Mar 04 '21 at 08:40
  • this is the same on my side. I suggest to raise a bug. according to google doc it should be done by "Send Feedback" button (https://cloud.google.com/storage/docs/getting-support#file_bugs_or_feature_requests) and I think this is the page https://cloud.google.com/storage/docs/gsutil/addlhelp/TopLevelCommandLineOptions where `-i` option is described – vitooh Mar 04 '21 at 14:58
  • I wrote several articles about service account impersonation: https://www.jhanley.com/google-cloud-improving-security-with-impersonation/ You are not setting up the requires roles on the correct resources. My article shows the steps required. – John Hanley Mar 04 '21 at 21:38
  • @JohnHanley If I run the command from cloud shell everything is working fine, however, from the MAC OS Terminal I am not able to run – San Jaisy Mar 05 '21 at 05:12
  • What is a terminal? – John Hanley Mar 05 '21 at 05:13
  • @JohnHanley Mac os terminal – San Jaisy Mar 05 '21 at 05:15
  • 1
    What does `gcloud auth list` display for each environment? Are they using the same "Active Account"? – John Hanley Mar 05 '21 at 05:16
  • Yes they are using the same active account, paste the screenshot above – San Jaisy Mar 05 '21 at 05:21
  • Compare the output on the system that works and the one that does not. – John Hanley Mar 05 '21 at 05:23
  • Not at all able to access from the MAC terminal, getting an exception as (gcloud.projects.get-iam-policy) User [fetebird@gmail.com] does not have permission to access projects instance [fetebird:getIamPolicy] (or it may not exist): The caller does not have permission. What API do I need to enable for this – San Jaisy Mar 05 '21 at 06:37
  • Your screenshot shows that fetebird@gmail.com is an Owner. You do not need additional roles to perform IAM tasks on the "owned" project. You must have a configuration error such as project spelling mistake, etc. Execute `gcloud auth revoke` within macOS. Then reboot the machine. Execute `gcloud auth login` with the correct user, select the correct Project ID (not project name) `gcloud config set project ` and try again. – John Hanley Mar 05 '21 at 07:26
  • Hi @SanJaisy, were you able to solve this issue mate? – Suraj Jan 24 '22 at 12:05

1 Answers1

2

The current logged in user (fetebird@gmail.com) must have the Service Account Access Token Creator role.

You might think the owner role would be sufficient, however, when I tested this myself you need to explicitly add it to the account that is impersonating the service account.

enter image description here

https://cloud.google.com/iam/docs/service-accounts#token-creator-role

ThdK
  • 9,916
  • 23
  • 74
  • 101