Questions tagged [gcp-iam]
The gcp-iam tag has no usage guidance.
gcp-iam
35
questions
-1
votes
0
answers
19
views
GCP IAM access management
Let's suppose we have a number of GCP projects and several dev teams. What is the recommended way of managing access to the resources in the projects for the different teams?
We are considering ...
0
votes
1
answer
121
views
Can "Domain Restricted Sharing" Org Policy in GCP work with cloud functions accepting allUsers?
If a project has or inherits a Domain Restricted Sharing org policy, It appears this prevents adding the cloudfunction invoker role to allUsers or allAuthenticatedUsers?
If it's possible to add ...
0
votes
0
answers
37
views
How do I grant a service account permissions to the Google Analytics Admin API?
What is this doing? It creates a new project and a service account json key for me? How is it granting the service account access to the API?: https://developers.google.com/analytics/devguides/config/...
0
votes
1
answer
26
views
Permission error for roles/resourcemanager.projectCreator in Google Cloud Build Trigger
I want to use Google Cloud Build Trigger to execute Terraform processing.
And, I want to create a Firebase project using Terraform. However, a Build Trigger error is occurring as bellow.
Step #2 - &...
0
votes
1
answer
61
views
google.api_core.exceptions.PermissionDenied: 403 Permission iam.googleapis.com/denypolicies.create denied on resource cloudresourcemanager.googleapis
def create_deny_policy(project_id: str, policy_id: str) -> None:
from google.cloud import iam_v2
from google.cloud.iam_v2 import types
policies_client = iam_v2.PoliciesClient()
...
0
votes
1
answer
184
views
How do I assign a role to a user in gcp for only 24 hours using gcloud cli?
I am trying to assign a role to a user only for 24 hours.I was using gcloud command for this and condition statement within the command.
gcloud projects add-iam-policy-binding project_name --member='...
0
votes
1
answer
129
views
How to use a cross-project service user to auth in Google Play Developer API
In my current setup, I am only able to have a service account in a shared project called ProjectA. This project is solely used for creating Service Accounts (SA). Afterwards, I invite the SA to my own ...
0
votes
0
answers
37
views
GCP Not able to create bucket with compute engine default service account
I have created a VM instance with compute engine default service account. 'I am not able to create a bucket from this VM using
gsutil mb gs://bucketname
The command gives AccessDeniedException: 403 ...
1
vote
0
answers
95
views
How to add IAM conditions in gcp request for the TestIamPermissions API in golang?
I'm trying to test permissions with the TestIamPermissions API provided by GCP, my permissions are scoped by IAM conditions, but as I see in gcp documentation, this API gets resource and ...
0
votes
0
answers
311
views
Disable service account key with google API client
Google Cloud's IAM allows you to activate/deactivate service account keys, so you can safely deactivate and remove a key once you're sure it hasn't broken anything in your systems. In my case, I'm ...
2
votes
1
answer
1k
views
How do I generate signed URLs for GCS with workload identity in the C# SDK?
I use workload id for all my GKE deployments.
I have an app that needs to generate signed URLs for GCS and it uses the C# SDK.
I see no docs on how to do this with workload id only static keys.
It ...
1
vote
1
answer
380
views
Trying to remove a a role assigned to a GCP user
Use Case: I am trying to delete all the roles assigned to a principal inside a GCP project.
As I understand you can't perform that operation directly.
I am referring here: https://cloud.google.com/iam/...
1
vote
0
answers
119
views
About the problem of using GCP to establish an L2TP tunnel: cannot succeed, 619 or 800 error
Current date 2023-1-15 test,
The script used is: https://github.com/hwdsl2/setup-ipsec-vpn
Test system Debian GNU/Linux 11 (bullseye)
GCP virtual computer hardware configuration: E2-small
Ports are ...
1
vote
0
answers
204
views
How to construct GCP org policy with tag rules to apply to cloud run service
I am trying to default my Cloud Run services ingress access to be internal only unless a specific tag is being set on the service by the service owner (for instance).
I am trying to achieve this with ...
6
votes
0
answers
2k
views
How do I get the email name of the current user retrieved via default credential fetching
I am not using a JSON key. I use the default credential loading mechanism that is used when you create any new client.
But what means is there to reflect on the current creds?
import google.auth
creds,...