google-iam | 易学教程

Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

阅读更多关于 Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

问题 When calling admin.auth().createCustomToken() , I get the following error: Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature. So I go look at the mentioned service account in the IAM section of the cloud platform console, and it has

How do I give users to a group access to my GCP project?

阅读更多关于 How do I give users to a group access to my GCP project?

问题 I am trying to set up access control using google groups instead since our team is getting larger. I have created a group in Google group admin and added given that group access to our GCP project, but the members of the group doesn't see the GCP project in the list of available groups. Am I missing something? According to the doc: https://cloud.google.com/iam/docs/overview it should be possible to do exactly what I am doing. 回答1: Reference: https://cloud.google.com/iam/docs/overview enter

IAM Service Account Key vs Google Credentials File

阅读更多关于 IAM Service Account Key vs Google Credentials File

问题 I'm writing code to generate and download a private key for a Google Cloud service account. Using the IAM API, I was able to create a service account, and my call to generate a key seems to be working. I get back a Service Account Key as described on the IAM API create key page, like { "privateKeyType": "TYPE_GOOGLE_CREDENTIALS_FILE", "privateKeyData": "random-key-stringkajdkjakjfke", ... } I downloaded this file as a JSON response and am trying to authenticate with it: gcloud auth activate

Problem in GCP setIamPolicy API reference under PHP example

阅读更多关于 Problem in GCP setIamPolicy API reference under PHP example

问题 on this page https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy Way down at the bottom are come code examples. The PHP code follows. The problem is the line $response = $service->projects->setIamPolicy($resource, $requestBody); There is no defined 'projects' property. I'm guessing this is out of date. Can anyone describe how this should be used, or offer a correction? require_once __DIR__ . '/vendor/autoload.php'; $client = new Google_Client(); $client-

What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?

阅读更多关于 What is the correct Permission to give GCP Cloud Function (CF) so that it's callable ONLY from another CF?

问题 I need one cloud function (CF) to invoke another CF that is protected. Protected meaning it can only be invoked by other CFs but not from Internet. Protected CF: I disabled the "Allow unauthenticated invocations" when creating this. I now need to give this function the correct Role and Permission so that it can be accessed from other CFs. I have tried almost all options but keep getting 403 from the invoker. Any ideas? Thanks! 回答1: You can specify that a receiving function accepts requests

Deletion of users (identities) from Google bucket IAM Policy does not work

阅读更多关于 Deletion of users (identities) from Google bucket IAM Policy does not work

问题 In order to remove identities from a google cloud bucket, I use the example provided at the GCP examples repo: here. I am wondering if there is something I am missing, I have the correct root credentials to the cloud account, as well as the project ownership credentials. Basically, the removal operations do not owrk both from Java code and using the gsutil function from gcp web console. Here is the original policy: Policy{ bindings= { roles/storage.legacyBucketOwner= [ projectOwner:csbauditor

GCP - Unable to authenticate myself to invoke Google Cloud function

阅读更多关于 GCP - Unable to authenticate myself to invoke Google Cloud function

问题 I have a cloud function named rad_format_text_v0 . I (andy@onehot.io) have permission to invoke it, shown here: $ gcloud beta functions get-iam-policy rad_format_text_v0 bindings: - members: - allAuthenticatedUsers - user:andy@onehot.io role: roles/cloudfunctions.invoker etag: BwWOSfjYxp0= version: 1 I can invoke it using gcloud functions call ... $ gcloud auth list Credentialed Accounts ACTIVE ACCOUNT * andy@onehot.io $ gcloud functions call rad_format_text_v0 --data "$(< test.json)"

Stackdriver Error reporting for Ruby, running on GKE

阅读更多关于 Stackdriver Error reporting for Ruby, running on GKE

问题 Which steps are required to collect errors from a Rails app running on GKE? I have added the stackdriver gem to my Rails app and I have created a custom role with the errorreporting.errorEvents.create permission. That role is given to the Compute Engine default service account I interpret the docs that one does not have to do the following setup when running on GKE: # Add this to config/environments/*.rb Rails.application.configure do |config| # Stackdriver Error Reporting specific parameters

Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

阅读更多关于 Can't create a custom token in firebase cloud functions because the service account doesn't have the necessary permissions

When calling admin.auth().createCustomToken() , I get the following error: Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/kaleido-maastricht@appspot.gserviceaccount.com.; Please refer to https://firebase.google.com/docs/auth/admin/create-custom-tokens for more details on how to use and troubleshoot this feature. So I go look at the mentioned service account in the IAM section of the cloud platform console, and it has the Editor role, which, indeed, does not have the signBlob permission. What role could I change it to

Access Google Cloud service account credentials on Container OS inside Docker Container

阅读更多关于 Access Google Cloud service account credentials on Container OS inside Docker Container

问题 Using the Container Optimized OS (COS) on Google Cloud Compute, what's the best way to access the credentials of the default service account for the VM-project from within a Docker container? $ gcloud compute instances create test-instance \ --image=cos-stable --image-project=cos-cloud $ ssh (ip of the above) # gcloud ... Command not found # docker run -ti google/cloud-sdk:alpine /bin/sh # gcloud auth activate-service-account ... --key-file: Must be specified. If the credentials were on the