google-cloud-iam

user access and data control to cloud firestore when calls to firestore are made server side

假如想象 提交于 2021-02-19 08:45:38
问题 I've started a web-based project using nodejs, express, firebase functions, firestore and eventually want to use firebase hosting. So far, I have been able to keep everything server side until I've reached Authorisation and Authentication. I'm using a model view controller structure so calls to firestore are being made server side and therefore the firestore security rules don't work. Firestore security rules only work if you access firestore client side. Can I use google cloud IAM (Identity

Providing keyFilename of Google Client Service Account from Google Cloud Storage

痞子三分冷 提交于 2021-02-19 08:15:29
问题 To connect to Google Cloud BigQuery that exists in a different GCP project from a Google Cloud Function, I am creating the BigQuery Client as follows: const {BigQuery} = require('@google-cloud/bigquery'); const options = { keyFilename: 'path/to/service_account.json', projectId: 'my_project', }; const bigquery = new BigQuery(options); But instead of storing the service_account.json in my Cloud Function, I want to store the Service Account in Google Cloud Storage and provide the Google Cloud

Create a custom role with no (or minimal) permissions

别来无恙 提交于 2021-02-11 18:19:13
问题 I am working on an application that has several custom roles that do not map to the existing IAM roles or permissions. e.g. Sales Department, Administrator, or Approver. I would like to create these custom roles in IAM and assign users to them. However, in order to create a custom role, I need to select at least one permission from the list of predefined permissions. Is there a way to create a custom role with no permissions or with a minimal permission that has no side effects? 回答1: You may

Create a custom role with no (or minimal) permissions

爱⌒轻易说出口 提交于 2021-02-11 18:18:12
问题 I am working on an application that has several custom roles that do not map to the existing IAM roles or permissions. e.g. Sales Department, Administrator, or Approver. I would like to create these custom roles in IAM and assign users to them. However, in order to create a custom role, I need to select at least one permission from the list of predefined permissions. Is there a way to create a custom role with no permissions or with a minimal permission that has no side effects? 回答1: You may

Limit access to metadata on GCE instance

主宰稳场 提交于 2021-02-11 16:59:26
问题 Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access

Limit access to metadata on GCE instance

一个人想着一个人 提交于 2021-02-11 16:57:53
问题 Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access

Why isn't my Firebase app connecting to Google Secret Manager?

 ̄綄美尐妖づ 提交于 2021-02-11 15:12:13
问题 I can't figure out why I keep getting the error: Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information. firebase login from my command line returns that I am already logged in and I have configured my-app@appspot.gserviceaccount.com to be a Secret Manager Secret Accessor in the GCP IAM admin dashboard within the same project. Here's the code I'm using: const { SecretManagerServiceClient } = require("@google

How do I list my GCP projects under No Organization using the Resource Manager API?

笑着哭i 提交于 2021-02-08 11:52:15
问题 I can't seem to find a proper filter for the Project List API method to list only the projects which I have access to but are under No Organization. Is there a filter for this? What would be the way to achieve this?. 回答1: I’m afraid there’s no straightforward way to achieve this. The filter would have to match a “parent.id” or a “parent.type” property, which in the case of projects without organization it doesn’t exists (they don’t have a “parent” attribute). It would have to be done in two

GCP Cloud Function - ERROR fetching storage source during build/deploy

南楼画角 提交于 2021-02-07 05:48:46
问题 Running into problems building deploying functions. When trying to programmatically deploy the function I get the following output in builder logs (ERRORS). 2020-10-20T02:22:12.155866856Z starting build "1fc13f51-28b6-4052-9a79-d5d0bef9ed5c" I 2020-10-20T02:22:12.156015831Z FETCHSOURCE I 2020-10-20T02:22:12.156031384Z Fetching storage object: gs://gcf-sources-629360234120-us-central1/${FUNCTIONNAME}-63f501f1-a8d2-4837-b992-1173ced83036/version-1/function-source.zip#1603160527600655 I 2020-10

you do not have permission to create projects in this location

别等时光非礼了梦想. 提交于 2021-01-29 20:58:36
问题 SOLVED: In Google cloud platform I need to create a new project to create a new oauth credential for an app. But it will not let me create any more projects under my organisation. It says I do not have permission to create projects in this location. I only have 2 projects currently and there is only 1 org. No I cannot use an exisitng project since I need to setup a different oauth consent screen. I am the admin, with owner permissions, so there is nobody else I can contact. I have a g suite