google-iam

问题 Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access

问题 Is there some way to limit access to the internal metadata IP? Background is: https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/ When I fetch all the data with curl I can see the email address of my google account among other stuff. I'd like to limit the data itself and access to the data as much as possible. Metadata is required during setup and boot as far as I know. Is there some way around this or at least some way to lock down access

问题 I can't figure out why I keep getting the error: Error: Could not load the default credentials. Browse to https://cloud.google.com/docs/authentication/getting-started for more information. firebase login from my command line returns that I am already logged in and I have configured my-app@appspot.gserviceaccount.com to be a Secret Manager Secret Accessor in the GCP IAM admin dashboard within the same project. Here's the code I'm using: const { SecretManagerServiceClient } = require("@google

问题 I am quite confused by this document enter link description here Service account requirements and Limitations: * Service accounts can only be set when a cluster is created. * You need to create a service account before creating the Cloud Dataproc cluster that will be associated with the service account. * Once set, the service account used for a cluster cannot be changed. Dose this means I cannot create a service account, which have role to create a dataproc cluster? For Now, I can only

问题 I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the pod logs. Failed to pull image "eu.gcr.io/my-gcp-project/my-image:v1.009": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid

问题 I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the pod logs. Failed to pull image "eu.gcr.io/my-gcp-project/my-image:v1.009": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid

问题 I am new in Google Cloud. I created a Cloud SQL Instance and I need to restore the data from a .bak file. I have the .bak file in a GCS bucket, and I am trying to restore using Microsoft Management Studio -> Task -> Restore. But I'm not able to access the file. Can anyone help me with the procedure on how to restore from a .bak file? 回答1: You need to give the Cloud SQL service Account access to the bucket where the file is saved. On Cloud Shell run the following: gcloud sql instances describe

问题 When I try to follow the example here: https://cloud.google.com/appengine/docs/flexible/python/quickstart, gcloud app deploy gives me the below error: ERROR: (gcloud.app.deploy) HTTPError 403: *account1* does not have storage.objects.get access to the Google Cloud Storage object. However, the account: account1 is the owner of the particular project. So why an ower does not have the storage.objects.get access here? 回答1: The problem is resolved by adding Storage Object Admin role to the account

问题 I'm trying to sign GCS URLs with the GCE default service account. I gave the compute default service account the necessary "Service Account Token Creator" role. When I try to sign a url in the following Python code, I get an error: import google.auth import google.auth.iam from google.auth.transport.requests import Request as gRequest creds, _ = google.auth.default(request=gRequest(), scopes=[ 'https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/devstorage.read

问题 I would like to use OAuth.tools to get an access token, refresh token, and ID token for my Web application that I've setup in Google Identity Platform? I'm unsure how to configure OAuth.tools to communicate with Google's OAuth server, and there are various flows, but I'm not sure which applies to my Web application. What should I fill in here, for instance, to make it work with OAuth.tools: 回答1: To do this, you need to: Configure the client at Google (the screenshot above) Setup an