Cloud Identity and Access Management (Cloud IAM) enables you to create and manage permissions for Google Cloud Platform resources. Cloud IAM unifies access control for Cloud Platform services into a single system and presents a consistent set of operations.
Questions tagged [google-iam]
411 questions
24
votes
7 answers
How to get a GCP Bearer token programmatically with python
gcloud auth print-access-token gives me a Bearer token that I can use later on; however, this is a shell command. How would I obtain one programmatically via the Google Cloud Python API?
I see a prior example using oauth2client, but oauth2client…
![](../../users/profiles/2113852.webp)
indraniel
- 357
- 1
- 2
- 8
18
votes
2 answers
Access Google Cloud service account credentials on Container OS inside Docker Container
Using the Container Optimized OS (COS) on Google Cloud Compute, what's the best way to access the credentials of the default service account for the VM-project from within a Docker container?
$ gcloud compute instances create test-instance \
…
![](../../users/profiles/19212.webp)
Brian M. Hunt
- 71,376
- 65
- 208
- 328
15
votes
3 answers
Kubernetes pods can't pull images from container registry (gcp)
I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the…
![](../../users/profiles/10054402.webp)
Georges Lorré
- 378
- 2
- 11
11
votes
2 answers
Unable to assign iam.serviceAccounts.signBlob permission
TLDR; I'm having trouble assigning an IAM permission to a service account.
I'm building a test that involves minting custom tokens with firebase Auth. When I hit:
const token = await admin.auth().createCustomToken('test', {
isAdmin: true,
…
![](../../users/profiles/4541769.webp)
tristansokol
- 3,836
- 1
- 14
- 30
10
votes
1 answer
How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?
I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is…
![](../../users/profiles/4975090.webp)
sdfsdf
- 3,149
- 3
- 25
- 52
10
votes
1 answer
How does the GKE metadata server work in Workload Identity
I've recently been making use of the GKE Workload Identity feature. I'd be interested to know in more detail how the gke-metadata-server component works.
GCP client code (gcloud or other language SDKs) falls through to the GCE metadata…
![](../../users/profiles/1510063.webp)
Charlie Egan
- 4,095
- 6
- 26
- 47
10
votes
2 answers
What's the difference between Project Browser role and Project Viewer role in Google Cloud Platform
According to the console popup, the Project Browser role has browse access to the project's resources while the Project Viewer has read access to those resources.
Does this mean that with the browser role I can only list the filenames stored in the…
![](../../users/profiles/2023941.webp)
intotecho
- 2,910
- 1
- 25
- 37
8
votes
3 answers
Google Cloud Platform IAM, i don't receive the invitation mail as a member
my partner added me as a member in a GCP project, with computer engine Admin role, but i didn't receive any invitation email.
we have already checked in spam folder.
i tried also to…
![](../../users/profiles/7640656.webp)
lotfi Raghib
- 318
- 3
- 15
8
votes
1 answer
IAM Service Account Key vs Google Credentials File
I'm writing code to generate and download a private key for a Google Cloud service account.
Using the IAM API, I was able to create a service account, and my call to generate a key seems to be working. I get back a Service Account Key as described…
![](../../users/profiles/2528472.webp)
hubatish
- 4,629
- 4
- 30
- 41
7
votes
1 answer
Google Cloud Run Authentication Service-to-Service
I have two services (APIs) deployed on GCP Cloud Run. Call them service-one.myDomain.com and service-two.myDomain.com. I would like service-one to be authenticated in calling service-two independently of what any user is doing.
I've read and…
![](../../users/profiles/8639335.webp)
teaMonkeyFruit
- 353
- 2
- 11
7
votes
1 answer
GCP Cloud Build fails with permissions error even though correct role is granted
I setup a Cloud Build Trigger in my GCP project in order to deploy a Cloud Function from a Cloud Source Repository via a .yaml file. Everything seems to have been setup correctly and permissions granted according to the official documentation, but…
![](../../users/profiles/1797628.webp)
starmandeluxe
- 2,029
- 3
- 22
- 39
7
votes
1 answer
Stackdriver Error reporting for Ruby, running on GKE
Which steps are required to collect errors from a Rails app running on GKE?
I have added the stackdriver gem to my Rails app and I have created a custom role with the errorreporting.errorEvents.create permission.
That role is given to the Compute…
![](../../users/profiles/375721.webp)
martins
- 7,647
- 6
- 41
- 67
7
votes
1 answer
IAM and RBAC Conflicts on Google Cloud Container Engine (GKE)
Context
Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature;
An admin invites a new user (using their google account/login) and assigns them a role.
The example role below is "Container Engine Viewer",…
![](../../users/profiles/4288737.webp)
Matt Johnson
- 183
- 5
6
votes
1 answer
Restricting user access for VM in gcp
Assume two users, A and B have full access to a GCP project. User A creates a VM. Once this is done , it appears user B can login into the VM and also has sudo access to the VM.
we used enable-oslogin metadata but we have issue where user a and b…
![](../../users/profiles/12998499.webp)
mo mo
- 61
- 2
6
votes
2 answers
invalid image name in cloud build when using domain-scoped project
I'm trying to build a container with GCP's Cloud Build. I'm using the simple template from the quickstart doc. I've done this before successfully.
However, this time I am using a project which is under an "organization". So the project ID is…
![](../../users/profiles/6293861.webp)
David Scales
- 2,158
- 2
- 16
- 33