How can I give additional roles to the default Google App Engine (GAE) service account:
Specifically, I want to give "Cloud SQL client" role to the default app engine service account. When I try to modify the role I get this message:
As it was answered in the comment section by #John Hanley, to add roles to a service account, go to IAM & Admin -> IAM, find your service account in the table and edit it to grant necessary roles.
In addition, please have a look st the documentation Understanding service accounts section Granting access to service accounts:
Granting access to a service account to access a resource is similar
to granting access to any other identity. For example, if you have an
application running on Compute Engine and you want the application to
only have access to create objects in Cloud Storage. You can create a service account for the application and grant it the Storage Object
Creator role.
Learn about Granting roles to all types of members, including
service accounts.
Related
I am building an application which will use Azure B2C as the identity system. It will include some local accounts, and some federated accounts for Enterprise SSO logins.
The application will have “application tenants”, representing customer organization/company.
I’d like a user to be able to grant users access to one or more application tenants (in case some users will manage multiple company accounts within the app).
There will also be multiple roles within the app (e.g. read only, full admin).
What is the recommended way to map a B2C User to “app tenants” and roles?
Create AAD group per tenant and role and check membership?
Custom attribute for tenantid(s)?
Or must I map users to tenants & roles in app DB/ outside of B2C?
Is this scenario described in any docs that might point me in the right direction?
Thanks!
I'm not able to access any tabs in AAD. What could be the issue?
Please check if below points can be worked around in your case.
Buttions or options being greyed out maybe because , you may not have had global admin rights/user administrator rights on the azure AD tenant. There are a few roles which can create users within the directory. You may not have any roles within the directory which permit the operations.
Reference: github issue.
Even in Azure AD free edition ,one should be able to create the users if you have proper roles .
On completion of the first 30 days of Microsoft Azure’s free trial,
your ‘Free Trial’ Azure Subscription will be disabled. To fix this,
the subscription needs to be changed to the ‘Pay-As-You-Go’ plan
instead of the ‘Free Trial’ plan which it is currently on.
For example :For applications under Enterprise application, one of the following roles: Global Administrator, Cloud Application
Administrator, Application Administrator, or owner of the service
principal.
You can check Azure AD built-in roles, and by checking the
description of role , assign the required one to manage identity .
You can Assign Azure AD roles to users to manage the identities
if you have global or role administrator rights. Approach the
admin to assign the roles .Also see custom roles in Azure AD
if needed.
Please check if this issue in - Microsoft Q&A can relate .
If issue still remains you can raise a support request in troubleshoot+support blade.
I have a build pipeline which deploys some ARM templates. It's a requirement for some of those resources to have role assignments for RBAC.
The service principle that the pipeline uses to connect to subscription is an owner, but if either the templates try to create role assignment resources, or I try to run az cli in the pipeline to create the assignments, there's insufficient permissions.
What permissions above owner is required to allow this?
I suppose you misunderstood the Global admin and Owner. The Global admin is an Administrator role in Azure AD, and the Owner is an RBAC role in the subscription. They are different things.
When you use the azure cli like below to create the role assignment, it adds the service principal joytestsp as an Owner to the storage account. The service principal which you login needs to call the AAD Graph to get the object first and then call the azure mangement rest api to add it to the storage account.
az role assignment create --assignee 'joytestsp' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'
So to fix the issue, you could navigate to the Azure Active Directory in the portal -> Roles and administrators -> click the Global administrator -> Add assignments-> add your service principal which used to login as a Global administrator. Then it should work.
Besides, if you don't want to give it the Global administrator to the service principal, you can also specify the object id of the service principal/user in the command, then it will also work.
az role assignment create --assignee 'b4d3c922-xxxxxxx-3ab785333011' --role 'Owner' --scope '/subscriptions/xxxxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/joyfunction'
I have resource in Azure subscription #1 and I want to grant permissions to Azure AD application from subscription #2. Both subscription have separate AAD tenants.
I've created application in subscription #2, marked it as multi-tenant and added certificate credentials to it. There're a few instructions on how to create multi-tenant apps that can login users from multiple tenants. But I don't need any of these logins and don't want to host any API for it. All I need is for users in other subscriptions being able to grant my app permissions to the resources.
I can't figure out how can I link (give consent) to app from another subscription/AAD tenant. My understanding there should be a way for me to reference AppId from app in subscription #2 and create new service principal for it unders subscription #1.
I've tried in subscription #1 New-AzureADServicePrincipal -AppId <AppIdFromSubscription2>
Fails with "Code: Request_ResourceNotFound, Message: Resource 'ServicePrincipal_888ad8a8-8888-4652-8b8b-c141fa1e7191' does not exist or one of its queried
"
New-AzureADServicePrincipal with AppId from another subscription does work.
I had silly mistake on my end, I've been using my #outlook.com account for my subscription and Connect-AzureAD logged me under some MSA tenant, which I have no permissions to modify. Once I specified TenantId with Connect-AzureAD, New-AzureADServicePrincipal worked fine.
I believe one of our developers inadvertently deleted the two default service accounts that came with the Google Cloud Project
I am now unable to start or spin up any new servers as I receive this:
The user does not have access to service account
'215988481317-compute#developer.gserviceaccount.com'
Is there a way to restore this service account with the correct permissions?
OR is the entire project screwed because this account doesn't exist anymore and creating a new account doesn't have this same syntax?
It appears that the service account's project permission may have been deleted rather than the account itself. Try adding the service account email address as member with the "Editor" role using the Permissions page.