Stack Overflow
Stack Overflow

Questions tagged [google-iam]

Cloud Identity and Access Management (Cloud IAM) enables you to create and manage permissions for Google Cloud Platform resources. Cloud IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations.

411 questions
24
votes
7 answers

How to get a GCP Bearer token programmatically with python

gcloud auth print-access-token gives me a Bearer token that I can use later on; however, this is a shell command. How would I obtain one programmatically via the Google Cloud Python API? I see a prior example using oauth2client, but oauth2client…
indraniel
  • 357
  • 1
  • 2
  • 8
18
votes
2 answers

Access Google Cloud service account credentials on Container OS inside Docker Container

Using the Container Optimized OS (COS) on Google Cloud Compute, what's the best way to access the credentials of the default service account for the VM-project from within a Docker container? $ gcloud compute instances create test-instance \ …
Brian M. Hunt
  • 71,376
  • 65
  • 208
  • 328
15
votes
3 answers

Kubernetes pods can't pull images from container registry (gcp)

I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the…
Georges Lorré
  • 378
  • 2
  • 11
11
votes
2 answers

Unable to assign iam.serviceAccounts.signBlob permission

TLDR; I'm having trouble assigning an IAM permission to a service account. I'm building a test that involves minting custom tokens with firebase Auth. When I hit: const token = await admin.auth().createCustomToken('test', { isAdmin: true, …
tristansokol
  • 3,836
  • 1
  • 14
  • 30
10
votes
1 answer

How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?

I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is…
sdfsdf
  • 3,149
  • 3
  • 25
  • 52
10
votes
1 answer

How does the GKE metadata server work in Workload Identity

I've recently been making use of the GKE Workload Identity feature. I'd be interested to know in more detail how the gke-metadata-server component works. GCP client code (gcloud or other language SDKs) falls through to the GCE metadata…
Charlie Egan
  • 4,095
  • 6
  • 26
  • 47
10
votes
2 answers

What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform

According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources. Does this mean that with the browser role I can only list the filenames stored in the…
intotecho
  • 2,910
  • 1
  • 25
  • 37
8
votes
3 answers

Google Cloud Platform IAM, i don't receive the invitation mail as a member

my partner added me as a member in a GCP project, with computer engine Admin role, but i didn't receive any invitation email. we have already checked in spam folder. i tried also to…
lotfi Raghib
  • 318
  • 3
  • 15
8
votes
1 answer

IAM Service Account Key vs Google Credentials File

I'm writing code to generate and download a private key for a Google Cloud service account. Using the IAM API, I was able to create a service account, and my call to generate a key seems to be working. I get back a Service Account Key as described…
hubatish
  • 4,629
  • 4
  • 30
  • 41
7
votes
1 answer

Google Cloud Run Authentication Service-to-Service

I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com and service-two.myDomain.com. I would like service-one to be authenticated in calling service-two independently of what any user is doing. I've read and…
teaMonkeyFruit
  • 353
  • 2
  • 11
7
votes
1 answer

GCP Cloud Build fails with permissions error even though correct role is granted

I setup a Cloud Build Trigger in my GCP project in order to deploy a Cloud Function from a Cloud Source Repository via a .yaml file. Everything seems to have been setup correctly and permissions granted according to the official documentation, but…
starmandeluxe
  • 2,029
  • 3
  • 22
  • 39
7
votes
1 answer

Stackdriver Error reporting for Ruby, running on GKE

Which steps are required to collect errors from a Rails app running on GKE? I have added the stackdriver gem to my Rails app and I have created a custom role with the errorreporting.errorEvents.create permission. That role is given to the Compute…
martins
  • 7,647
  • 6
  • 41
  • 67
7
votes
1 answer

IAM and RBAC Conflicts on Google Cloud Container Engine (GKE)

Context Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature; An admin invites a new user (using their google account/login) and assigns them a role. The example role below is "Container Engine Viewer",…
Matt Johnson
  • 183
  • 5
6
votes
1 answer

Restricting user access for VM in gcp

Assume two users, A and B have full access to a GCP project. User A creates a VM. Once this is done , it appears user B can login into the VM and also has sudo access to the VM. we used enable-oslogin metadata but we have issue where user a and b…
mo mo
  • 61
  • 2
6
votes
2 answers

invalid image name in cloud build when using domain-scoped project

I'm trying to build a container with GCP's Cloud Build. I'm using the simple template from the quickstart doc. I've done this before successfully. However, this time I am using a project which is under an "organization". So the project ID is…
David Scales
  • 2,158
  • 2
  • 16
  • 33
1
2 3
27 28