Stack Overflow
Stack Overflow

Questions tagged [google-iam]

Cloud Identity and Access Management (Cloud IAM) enables you to create and manage permissions for Google Cloud Platform resources. Cloud IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations.

727 questions
8
votes
2 answers

IAM Role to SSH to VM without Admin Priveleges

Background To ssh into VM instances in Google Compute Engine,i need to provide instanceAdmin Role to the user,which gives Admin Control to the User,that sometimes could be a security issue. Query Does Google Compute Engine provide any IAM Role,which…
Rohan
  • 601
  • 2
  • 9
  • 21
7
votes
1 answer

Cloud Functions / Cloud Tasks UNAUTHENTICATED error

I am trying to get a Cloud Function to create a Cloud Task that will invoke a Cloud Function. Easy. The flow and use case are very close to the official tutorial here. I also looked at this article by Doug Stevenson and in particular its security…
Stf_F
  • 846
  • 9
  • 23
7
votes
2 answers

Authenticating to Google Cloud Firestore from GKE with Workload Identity

I'm trying to write a simple backend that will access my Google Cloud Firestore, it lives in the Google Kubernetes Engine. On my local I'm using the following code to authenticate to Firestore as detailed in the Google Documentation. if…
James Williams
  • 120
  • 1
  • 8
7
votes
3 answers

Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

When calling admin.auth().createCustomToken(), I get the following error: Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.;…
bigblind
  • 12,539
  • 14
  • 68
  • 123
7
votes
4 answers

The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource

The above error message is being thrown when I try to add a task to a queue. Here is my setup and the info about this problem: Project ID: my-project Service Account ID: my-service-account Task Queue Name: my-queue Task Queue Location:…
Nicolas Dao
  • 987
  • 12
  • 22
7
votes
3 answers

GCE Service Account with Compute Instance Admin permissions

I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles: Custom Compute Image User + Deletion rights Compute Admin Compute Instance Admin (beta) Kubernetes Engine…
Sam Shleifer
  • 1,716
  • 2
  • 18
  • 29
6
votes
1 answer

Warnings because of user credentials without quota project

I am currently managing a GCP project, and granted access to a colleague with the Viewer so that he can use the resources on it (mostly downloading files from storage). I have run into a problem also explained here. Basically, after running gcloud…
LoicM
  • 1,786
  • 16
  • 37
6
votes
1 answer

What is the point of "Service Account User" role if it's not for impersonation?

The documentation for the Service Account User role is a bit confusing. https://cloud.google.com/iam/docs/service-accounts#user-role Users granted the Service Account User role on a service account can use it to indirectly access all the resources…
Ari
  • 5,301
  • 8
  • 46
  • 120
6
votes
1 answer

Restricting user access for VM in gcp

Assume two users, A and B have full access to a GCP project. User A creates a VM. Once this is done , it appears user B can login into the VM and also has sudo access to the VM. we used enable-oslogin metadata but we have issue where user a and b…
mo mo
  • 61
  • 3
6
votes
2 answers

What are the differences between GCP service accounts and user accounts?

I wanted to use a service account to manage VM instances on GCE remotely. It did not work. Therefore this question. One difference I found between a service account and a user account, after many hours of trial-error, is that there seems no way to…
JerryL
  • 133
  • 1
  • 8
6
votes
6 answers

I am trying to give Project Creator role to a service account from IAM in GCP

I am trying to give Project Creator role to a service account from IAM, I do not see a role named Project Creator as explained here https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles I am not getting Project creator as a…
Ashish Raj Srivastava
  • 71
  • 1
  • 5
6
votes
1 answer

Bucket query permission denied in GCP despite service-account having the Owner role

I am trying to make a GCP VM through Terraform. I made a service account on Google that has the Project Owner role. Through Terraform I am trying to make a bucket to store Terraform's state. The .json for credentials is in a Gitlab variable.…
Kim
  • 85
  • 1
  • 4
6
votes
3 answers

invalid image name in cloud build when using domain-scoped project

I'm trying to build a container with GCP's Cloud Build. I'm using the simple template from the quickstart doc. I've done this before successfully. However, this time I am using a project which is under an "organization". So the project ID is…
David
  • 2,846
  • 3
  • 22
  • 34
6
votes
1 answer

Stackdriver Error reporting for Ruby, running on GKE

Which steps are required to collect errors from a Rails app running on GKE? I have added the stackdriver gem to my Rails app and I have created a custom role with the errorreporting.errorEvents.create permission. That role is given to the Compute…
martins
  • 9,669
  • 11
  • 57
  • 85
6
votes
1 answer

Terraform: How to use iam_policy without locking yourself out

I'm having issues with using iam_policy resource types without being getting myself locked-out on terraform destroy. This applies to resource types like google_storage_bucket_iam_policy and google_project_iam_policy. This example applies to…
Bernard Halas
  • 972
  • 11
  • 24
1 2
3
48 49