google-iam

问题 I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com and service-two.myDomain.com . I would like service-one to be authenticated in calling service-two independently of what any user is doing. I've read and implemented the instructions from GCP Cloud Run docs on Authenticating service-to-service (https://cloud.google.com/run/docs/authenticating/service-to-service) but service-one.myDomain.com is unsuccessful in calling service-two.myDomain.com receiving a

问题 Starting with this: users have their own google user accounts that are setup locally via gcloud login the application is using the gcp APIs in the usual way- by default it will look for GOOGLE_APPLICATION_CREDENTIALS, GCE roles, service accounts, or use the local users gcloud configured credentials when users run it locally it will use their own user account, when run in gcp it will use a service account The user's account also has access to impersonate the service account. So when running

问题 Here my use case. I already have a Cloud Run service deployed in private mode. (same issue with Cloud Function) I'm developing a new service that use this Cloud Run. I use the default credential in the application for the authentication. It worked on Compute Engine and on Cloud Run because the default credential is gotten from the metadata server. But, on my local environment, I need to use a service account key file for achieving this. (for example, when I set the GOOGLE_APPLICATION

问题 I'm trying to build a container with GCP's Cloud Build. I'm using the simple template from the quickstart doc. I've done this before successfully. However, this time I am using a project which is under an "organization". So the project ID is mycompany.com:projectX , rather than simply projectX . I am unable to get the build to complete. When I run: gcloud builds submit --tag gcr.io/mycompany.com:project-id/helloworld I get the following error: (gcloud.builds.submit) INVALID_ARGUMENT: invalid

问题 I'm trying to build a container with GCP's Cloud Build. I'm using the simple template from the quickstart doc. I've done this before successfully. However, this time I am using a project which is under an "organization". So the project ID is mycompany.com:projectX , rather than simply projectX . I am unable to get the build to complete. When I run: gcloud builds submit --tag gcr.io/mycompany.com:project-id/helloworld I get the following error: (gcloud.builds.submit) INVALID_ARGUMENT: invalid

问题 In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud). Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects? This is needed to answer questions like: What roles does a service account have? Which resources are shared publicly? Do policies contain deleted users? Does a user still appear in any policies after they leave my company? Does a user has a given

问题 This page explains both: Obtaining and providing service account credentials manually for developing local, deploying on-premises, or deploying to another public cloud. Obtaining credentials on Compute Engine, Kubernetes Engine, App Engine flexible environment, and Cloud Functions But there is no mention of obtaining credentials on Cloud Run. I'd appreciate it if you give instructions for obtaining credentials and setting firebase-admin initializeApp and firebase initializeApp for

问题 This page explains both: Obtaining and providing service account credentials manually for developing local, deploying on-premises, or deploying to another public cloud. Obtaining credentials on Compute Engine, Kubernetes Engine, App Engine flexible environment, and Cloud Functions But there is no mention of obtaining credentials on Cloud Run. I'd appreciate it if you give instructions for obtaining credentials and setting firebase-admin initializeApp and firebase initializeApp for

问题 Is there a way to deny permissions in GCP custom role? For example, this is a policy in AWS that denies a set of actions on S3: { "Sid": "DenyS3", "Effect": "Deny", "Action": "s3:Get*", "Resource": "*" } Is there a way to define a similar custom role in GCP? 回答1: Is there a way to deny permissions in GCP custom role? No, IAM roles are deny by default and are additive only. How do i get permissions only on a specific image name? The classic use case for IAM roles is to assign them to the

问题 According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources. Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files? 回答1: Does this mean that with the browser role I can only list the filenames stored in the project's buckets but I need viewer role to download those files? The browser role roles