5

I am trying to use the Google Cloud Resource Manager API to test whether the authenticated user has permissions to a given project. I have read the Google Cloud Resource Manager API documentation and have tried sending requests, all which fail with the following error:

{ "error": { "code": 400, "message": "Request contains an invalid argument.", "status": "INVALID_ARGUMENT" } }

The POST request is:

https://cloudresourcemanager.googleapis.com/v1/projects/{projectId}:testIamPermissions

where {projectId} is a defined projectId from the Google Cloud Developer Console. I am aware that I can use the project.list method and determine if the given projectId is present in the list of projects for the user. I want to understand how to use the project.testIamPermissions request and determine which permission the user has on the project.

Ken
  • 131
  • 5
  • Have you tested it at the relevant APIs Explorer page (https://developers.google.com/apis-explorer/#p/cloudresourcemanager/v1/cloudresourcemanager.projects.testIamPermissions)? – jarmod Dec 01 '16 at 21:08
  • 2
    Yes, that is where I have been running all of my tests. I haven't written a line of code yet until I understand how to call the API through the API explorer. – Ken Dec 14 '16 at 14:02
  • Did you dump the entire response/exception? I'm guessing that it will include helpful text such as "At least one permission must be specified". Did you supply permissions to be tested? – jarmod Dec 14 '16 at 14:54
  • Is there any solution for that already? I'm getting the same error message when using deployment manager, see https://github.com/Pindar/gcloud-k8s-express-app/issues/2#issuecomment-296595129 – Simon Apr 24 '17 at 10:23
  • It's hard to get anything but HTTP 400 from the API explorer when missing an explanation of the resource ID syntax, missing examples and when the error message provides no details other than "what you wrote was wrong". – nsandersen Jan 22 '21 at 12:26

1 Answers1

1

In order to use the Cloud Resource Manager API methods organizations.testIamPermissions or projects.testIamPermissions, you need to provide the resource you'd like to check in the URL and then the permissions you'd like to check in the body.

So, for example, if I want to test if I, the authenticated user, have access to a particular permission (ex. compute.instances.create) on a particular project (ex. my-project) then, I would POST this:

{
 "permissions": [
  "compute.instances.create"
 ]
}

to the URL:

https://cloudresourcemanager.googleapis.com/v1/projects/my-project:testIamPermissions

which would give me the following response:

{
 "permissions": [
  "compute.instances.create"
 ]
}

because I do in fact have permissions to create new instances in my-project. However, if I did not have permission to create new instances, the response would look like:

{
}

Try it here via the API Explorer.

If your goal is to find the test of all permissions that the user has on the project, then you have to provide the full list of all project level permissions in your request body and the response will include the subset of those permissions that the user has.

Hope this helps!

lukwam
  • 424
  • 3
  • 12
  • How do we we provide the resource, for instance a dataset? There is a page here that looks useful [https://cloud.google.com/asset-inventory/docs/resource-name-format](https://cloud.google.com/asset-inventory/docs/resource-name-format), but no luck so far. – nsandersen Jan 22 '21 at 12:37
  • For BigQuery datasets, it should be bigquery.datasets.get, for example, which is the API call to get a dataset. – lukwam Jan 23 '21 at 13:38