Cloud Identity and Access Management (Cloud IAM) enables you to create and manage permissions for Google Cloud Platform resources. Cloud IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations.
Questions tagged [google-cloud-iam]
376 questions
6
votes
1 answer
Permission 'cloudkms.cryptoKeyVersions.useToDecrypt' denied for resource ...key
I am building an http endpoint with Google Cloud Functions. I have an encrypted secret stored as a file that is loaded and decrypted in the function as a way to prevent my secret from being stored in the code. Usually I dynamically load something…
tristansokol
- 3,836
- 1
- 14
- 30
6
votes
2 answers
SOLUTION: google cloud sdk issue: 'callers must accept terms of service'
Known issue:
Installing google-cloud-sdk (linux package or from tarball) has a quirk where you cannot create projects from the command line before accepting the terms of service.
Steps to reproduce:
Download sdk, untar, move folder to home…
BitShift
- 671
- 5
- 21
5
votes
2 answers
You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy
I checked the IAM & admin in the GCP console UI. I have two roles: (Company name) Project Owner and Editor. The member is my company email address.
But when I try to edit(the edit button) other people's roles and permissions, I got below…
slideshowp2
- 38,463
- 29
- 127
- 255
5
votes
1 answer
Enable APIs using serviceusage API with a service account
I want to create an automatic deployment of GCP for clients.
In order to do that, I have opened a page for them to login with google, and then enabled the IAM API and the Service Usage API.
Then I have created a service account that I want to use…
Elvira Gandelman
- 189
- 4
- 14
5
votes
2 answers
gcloud compute ssh with local key & project restrictions
We have a user that is allowed to SSH into an VM on the Google Cloud Platform.
His key is added to the VM and he can SSH using
gcloud compute ssh name-of-vm
However connecting in this way will always have gcloud try to update project wide meta data…
Tom Lous
- 2,489
- 1
- 16
- 40
5
votes
2 answers
Google Managed Services (BigQuery,Cloud Storage etc) via a VPC/VPN
We are planning to use Big Query and Cloud Storage but have questions regarding access via VPN/VPC.
As Big Query, GCS are managed services is it correct to assume that it is not possible to restrict access to project level buckets and data sets to…
K2J
- 2,303
- 4
- 23
- 33
5
votes
4 answers
Google cloud storage listing files in bucket requires permission for project owner
I'm currently using web UI to browse the files in one of the buckets and I happen to be the project owner as well. However I get a permission error
You need the storage.objects.list permission to list objects in this
bucket. Ask a project or…
opensourcegeek
- 4,319
- 5
- 33
- 60
5
votes
2 answers
Google Cloud Service Account with 'roles/container.admin'
I am trying to create a Service Account with 'roles/container.admin' and i get an error saying that the role is not supported for this resource.
$ gcloud iam service-accounts add-iam-policy-binding sa-ci-vm@PROJECT-ID.iam.gserviceaccount.com…
Victor Rosales
- 71
- 3
5
votes
1 answer
Can I restrict access to a Google Cloud SQL instance to specific service account?
I have multiple environments in Google Compute Engine (dev, staging, and production), each with its own Google Cloud SQL instance. The instances connect via Cloud SQL Proxy and authenticate with a credential file that is tied to a service account. I…
Craig Finch
- 635
- 5
- 15
4
votes
1 answer
Cannot impersonate GCP ServiceAccount even after granting "Service Account Token Creator" role
I have 2 ServiceAccounts in my Google Cloud Platform (GCP) Project
owner
executor
The owner ServiceAccount has 1 project-wide role attached to it:
"Owner" - for the project
The executor ServiceAccount has ONLY 2 specific roles attached to it (as…
Rakib
- 9,946
- 11
- 59
- 93
4
votes
1 answer
Create an alias for a Google Service Account Email?
I've shared a Google Sheet with my Google Service account email, which looks something like:
myappname-service@myappname-266229.iam.gserviceaccount.com
This permits my application to access that Google Sheet.
I'd like to be able to share the Google…
Richard
- 45
- 6
4
votes
1 answer
The caller does not have permission when attempting to use Google Cloud Storage within Cloud Run
I'm attempting to get a Node project setup on Google Cloud Run with Cloud Storage. I am running into an authentication issue when using a created Service Account.
When creating the service account I did successfully download the JSON token and got…
John Chipps-Harding
- 121
- 3
4
votes
2 answers
How to get all roles/permissions that a service account have for a project and organization in GCP through API
I have a service account which belongs to a project. It have some roles/permissions set at the project level as well as some roles/permissions set at organization level.
I need to get list of all permissions/roles that the service account is…
Johnny Cage
- 41
- 1
- 3
4
votes
2 answers
Limiting access of a GCP Cloud IAM custom role only to a bucket
AWS provides a way through its IAM policies to limit access from a particular user/role to a specific named resource.
For example the following permission:
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
…
pkaramol
- 9,548
- 14
- 80
- 167
4
votes
2 answers
Can't delete a Google Cloud Project
I have an old Google Cloud Project that i just can't delete.
When I do it via website i get an "Project Service Unknown error Tracking number: 342342354345345345"
When i do it via CLI with command:
gcloud projects delete "PROJECT"
I get an…
FilipM
- 43
- 4