I currently have a scenario wherein I created deployment script (python) using the Deployment Manager, it runs perfectly well in a GCP sandbox (LA Playground) I tend to use to try things out. But when I tried running it on an actual GCP project with billing accounts etc., I get a permission error even though I'm using basically the same set of roles in the service account I created for it. I also am the project owner of that troubling GCP account.
The particular set of permission I'm having problems with is in creating project sinks. I always get the following error:
Error in Operation [operation-xxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxx-9d487530]: errors:
- code: RESOURCE_ERROR
location: /deployments/structured-pipeline/resources/dataprep-bq-listener-sink
message: '{"ResourceType":"gcp-types/logging-v2:projects.sinks","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://logging.googleapis.com/v2/projects/redacted-gcp-project-name-dev/sinks","httpMethod":"POST"}}'
Here's the list of roles I have attached on the service account that is used to run the deployment:
Compute Admin
Deployment Manager Editor
Security Admin
Logging Admin
Logs Configuration Writer
Pub/Sub Admin
Service Usage Admin
Storage Admin
As you may see, I already made them admin level just to make sure I'm not missing a required permission.
As per the official documentation, the specific permission needed for creating projects sinks is logging.sinks.create which is included in both Logging Admin & Logs Configuration Writer roles.
UPDATE#1:
Here's the expanded DM config of the troubled resources
- name: dataprep-bq-listener-sink
properties:
destination: pubsub.googleapis.com/projects/redacted-gcp-project-name-dev/topics/dataprep-bq-listener-vpcps3s6wjzbmkbxxlsqqh
filter: |-
resource.type="bigquery_dataset"
resource.labels.dataset_id="dataprep_output_vpcps3s6wjzbmkbxxlsqqh"
protoPayload.methodName="google.cloud.bigquery.v2.JobService.InsertJob"
outputVersionFormat: V2
sink: dataprep-bq-listener-sink-vpcps3s6wjzbmkbxxlsqqh
type: gcp-types/logging-v2:projects.sinks
- accessControl:
gcpIamPolicy:
bindings:
- members:
- $(ref.dataprep-bq-listener-sink.writerIdentity)
role: roles/pubsub.publisher
name: dataprep-bq-listener
properties:
labels:
client_namespace: redacted-client-name
topic: dataprep-bq-listener-vpcps3s6wjzbmkbxxlsqqh
type: pubsub.v1.topic
metadata:
dependsOn:
- dataprep-bq-listener-sink
UPDATE#2
I set my gcloud to use a service account for credentials (https://cloud.google.com/sdk/docs/authorizing#authorizing_with_a_service_account) which has the roles I stated above.
Running gcloud auth list clearly points to the service account I created/used.
ACTIVE ACCOUNT
my_redacted_email#company.com
cloud_user_p_2725ef46#linuxacademygclabs.com
cloud_user_p_2e3db20d#linuxacademygclabs.com
cloud_user_p_41b5121a#linuxacademygclabs.com
cloud_user_p_b57aaef8#linuxacademygclabs.com
cloud_user_p_bdb72060#linuxacademygclabs.com
cloud_user_p_c2f5d19a#linuxacademygclabs.com
cloud_user_p_c3c54122#linuxacademygclabs.com
cloud_user_p_c88350f1#linuxacademygclabs.com
cloud_user_p_d7702b8b#linuxacademygclabs.com
* service_account_used_in_dm#project_id.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
UPDATE#3
Running gcloud projects get-iam-policy <PROJECT_ID> results to the following list of IAM policies (I've replaced my email with "my_redacted_email#company.com" and the service account email I used for the DM with "service_account_used_in_dm#project_id.iam.gserviceaccount.com"; all the default default service accounts I retained)
bindings:
- members:
- user: my_redacted_email#company.com
role: roles/billing.projectManager
- members:
- serviceAccount:1008104628570#cloudbuild.gserviceaccount.com
role: roles/cloudbuild.builds.builder
- members:
- serviceAccount:service-1008104628570#gcp-sa-cloudbuild.iam.gserviceaccount.com
role: roles/cloudbuild.serviceAgent
- members:
- serviceAccount:service-1008104628570#gcf-admin-robot.iam.gserviceaccount.com
role: roles/cloudfunctions.serviceAgent
- members:
- serviceAccount:service-1008104628570#gcp-sa-cloudscheduler.iam.gserviceaccount.com
role: roles/cloudscheduler.serviceAgent
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/compute.admin
- members:
- serviceAccount:service-1008104628570#compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- serviceAccount:service-1008104628570#containerregistry.iam.gserviceaccount.com
role: roles/containerregistry.ServiceAgent
- members:
- serviceAccount:service-1008104628570#dataflow-service-producer-prod.iam.gserviceaccount.com
role: roles/dataflow.serviceAgent
- members:
- serviceAccount:service-1008104628570#trifacta-gcloud-prod.iam.gserviceaccount.com
role: roles/dataprep.serviceAgent
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/deploymentmanager.editor
- members:
- serviceAccount:1008104628570-compute#developer.gserviceaccount.com
- serviceAccount:1008104628570#cloudservices.gserviceaccount.com
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
- user:my_redacted_email#company.com
role: roles/editor
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/iam.securityAdmin
- members:
- user:my_redacted_email#company.com
role: roles/iam.serviceAccountUser
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/logging.admin
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/logging.configWriter
- members:
- user:my_redacted_email#company.com
role: roles/owner
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/pubsub.admin
- members:
- user:my_redacted_email#company.com
role: roles/resourcemanager.projectIamAdmin
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/serviceusage.serviceUsageAdmin
- members:
- serviceAccount:service_account_used_in_dm#project_id.iam.gserviceaccount.com
role: roles/storage.admin
etag: BwW0MM3sGXk=
version: 1
As you may noticed the service account I'm using has bindings to the roles that I mentioned above at the project level.
UPDATE#4
Creating the sink through gcloud using the same service account results in a successful creation of the sink.
gcloud logging sinks create dataprep-bq-listener-sink-vpcps3s6wjzbmkbxxlsqqh pubsub.googleapis.com/projects/<project_id>/topics/dataprep-bq-listener-vpcps3s6wjzbmkbxxlsqqh --log-filter='resource.type="bigquery_dataset" AND resource.labels.dataset_id="dataprep_output_vpcps3s6wjzbmkbxxlsqqh" AND protoPayload.methodName="google.cloud.bigquery.v2.JobService.InsertJob"' --project=<project_id>
UPDATE#5
#Kolban did note of the requirement of Deployment Manager for the [PROJECT_NUMBER]#cloudservices.gserviceaccount.com service account to the Editor role as per stated in their official documentation, now looking at UPDATE#4, it clearly shows that the said service account has the Editor role.
He also noted for possible mixing up of multiple cloud accounts (I might be running the command using the service account but under a different cloud account), thus, I executed the following commands: gcloud config get-value account & gcloud config get-value project which resulted to what I'm expecting which is the correct GCP project and Service Account pair.
The docs state:-
To create other Google Cloud resources, Deployment Manager uses the
credentials of the Google APIs service account to authenticate to
other APIs. The Google APIs service account is designed specifically
to run internal Google processes on your behalf. The service account
is identifiable using the email:
[PROJECT_NUMBER]#cloudservices.gserviceaccount.com
In your case, your 1008104628570#cloudservices.gserviceaccount.com Service Account is bound to the roles\editor role at project level. However, the permission you require (logging.sinks.create) isn't contained within that legacy Editor role.
Can you try additionally granting the 1008104628570#cloudservices.gserviceaccount.com Service Account the Logging Admin role (roles/logging.admin) and see if that helps?
Related
I'm unable to create a Cloud Function in my GCP project using GUI, but have admin roles for GCF, SA and IAM.
Here is the error message:
Missing necessary permission iam.serviceAccounts.actAs for
cloud-client-api-gae on the service account
serviceaccountname#DOMAIN.iam.gserviceaccount.com. Grant the role
'roles/iam.serviceAccountUser' to cloud-client-api-gae on the service
account serviceaccountname#DOMAIN.iam.gserviceaccount.com.
cloud-client-api-gae is not an SA nor User on my IAM list. It must be a creature living underneath Graphical User Interfrace.
I have Enabled API for GCF, AppEngine and I have Service Account Admin role.
I had literally 0 search results when googling for cloud-client-api-gae.
I've contacted GCP support and it seems my user was missing single role:
Service Account User - that's it.
PS: Person from support didn't know what this thing called "cloud-client-api-gae" is.
Saw the same thing. You need Service account user on the SA you plan to deploy the CF onto. The same incorrect identity was shown.
The user account attempting to create cloud function, need to be given "Service account user" role on the Service account they are using for this cloud function to run on.
I created two application instances [Dynamics 365 Finance and Operations] for prod and test environments. I'm now getting the following error.
Unable to get the channel information Detail
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException:
AADSTS700027: Client assertion contains an invalid signature. [Reason
- The key was not found., Thumbprint of key used by client: '0DEC01638DF6D70A2D57DFE338ABFC3D6BD45458', Please visit
'https://developer.microsoft.com/en-us/graph/graph-explorer' and query
for
'https://graph.microsoft.com/beta/applications/00000015-0000-0000-c000-000000000000'
to see configured keys] Trace ID: afa96f28-9dbe-48cb-a569-431f637b1a00
Correlation ID: 8981ef7c-9bd5-427e-bd33-072fc7faca86 Timestamp:
2020-02-05 07:47:17Z ---> System.Net.Http.HttpRequestException:
Response status code does not indicate success: 401
This log is from the test environment and now it started giving this error after I started creating the production environment using this AAD_AppId: 00000015-0000-0000-c000-000000000000. So my question is, Is it possible to use the same AAD_AppId for two applications.
No, you can't.
The Application ID of an AD App is a GUID across all the Azure AD tenant, you can just use the same Displayname of the AD App for your prod and test environments at most. Eevn they have the same Displayname, they will have different Application IDs.
Besides, the 00000015-0000-0000-c000-000000000000 is the Application ID of the Microsoft application Microsoft Dynamics ERP, it will appear in the Enterprise applications in the AAD tenant which used it, they will have different Object id
in different tenant, but they will have the same Application ID.
Given two independent organizations Ciccio and Pierino, Ciccio has an AAD of which bepi#pierino.com is a guest user with the role of global administrator, Ciccio wants bepi#pierino.com to create the first Azure Sphere tenant... it is possible for bepi#pierino.com do the first "azsphere login" inside the Ciccio Active Directory? Such as?
this is the error message encountered
azsphere login
error: You could not be authenticated: AADSTS650051: Using application 'Azure Sphere API' is currently not supported for your organization pierino.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of pierino.com before the application Azure Sphere API can be provisioned.
Trace ID: 3a0aad18-5fe6-45cc-89ea-6989317a1400
Correlation ID: 9852e07b-73f5-4b62-a710-258c1bbaa740
Timestamp: 2019-09-11 14:45:25Z
error: Command failed in 00:00:45.7810542.
Azure Sphere team is making a few improvements to this area soon. Hope you can wait for a few more weeks on this issue.
How can I find out what admin permissions are blocking the user from signing in to an Azure AD app?
I am setting up an App Registration in the Azure AD portal to be used with my Service Fabric cluster. The app registration does basic auth and only has one Required Permission configured: Sign in and read user profile (which does NOT require admin permission).
My tenant has the "Users can consent to apps accessing company data on their behalf" setting to "Yes", so it's not that.
Also, the /authorize request doesn't have any resource parameter, so it's implicitly asking for the permission I configured: Azure AD's Sign in and read user profile.
However when an non-admin user attempts to sign it, I still get the error:
AADSTS90094: The grant requires admin permission
I reproduced the scenario and this is what I observed. Found a workaround, hope it helps.
First I created a Service Fabric (SF) cluster secured with AAD authentication using the steps described here, using an AAD tenant where I am not a global admin.
Then I tried to login to Service Fabric Explorer (SFX) and I got this error:
AADSTS50105: The signed in user is not assigned to a role for the
application 'f8c79129-deb7-4a21-a6e0-ec29e88298ef'
This is expected, because the user must be assigned to a role (Admin or ReadOnly) in the SF application that represents the cluster. So I went to AAD > Enterprise Applications > found my cluster app and under Users and Groups I added myself to the Admin role. Notice that the fact that a regular user can administer the roles of an application that the user owns is something new, it's available since a month or so -- before that, a regular user couldn't administer the roles of an application.
Then I tried to login again to SFX and I got a different error:
AADSTS65005: Invalid resource. The client has requested access to a
resource which is not listed in the requested permissions in the
client's application registration. Client app ID:
f8c79129-deb7-4a21-a6e0-ec29e88298ef. Resource value from request: .
Resource app ID: 00000002-0000-0000-c000-000000000000. List of valid
resources from app registration: .
00000002-0000-0000-c000-000000000000 is Windows Azure Active Directory. For some reason SetupApplications.ps1 doesn't assign the Sign in and Read User Profile permission to the SF cluster application. So I edited the application and I assigned that permission, just like you showed in your print screen. Notice that SetupApplications.ps1 has a parameter AddResourceAccess (not mentioned in the doc) that adds that permission, not sure why it doesn't add it by default. Perhaps it isn't needed when you run SetupApplications.ps1 as a global admin, and the scripts/doc assumes that you are a global admin.
Then I tried to login to SFX again and I got the same error that you observed:
AADSTS90094: The grant requires admin permission.
So I checked the SF application under AAD > Enterprise Applications > found the SF cluster app > Properties. User assignment required is configured "Yes". I changed it to "No" and tried to login to SFX. This time it worked OK, I could consent and access the SFX console. Then I changed User assignment required again to "Yes".
One can argue if the SF app really needs User assignment required > Yes because anyway if a user is not assigned to the Admin or ReadOnly role, SFX will try to fallback to client certificate authentication.
In either way, the AAD behavior is confusing. At least, the error should be more descriptive and point to the User assignment configuration. Perhaps the current behavior has to do with what I mentioned before, that regular users can now administer roles. Perhaps the behavior is being improved.
Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.
It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error:
You don't have permission to view API keys, OAuth clients, and service account keys.
Roles/Permissions:
-App Engine Admin
-Cloud Functions Developer
-Cloud Datastore Owner
-Service Account Admin
-Source Repository Administrator
-Storage Admin
So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.
I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:
"Custom API"
container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update
"Custom Client Auth"
clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.
You can go to the roles page:
https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]
And there you can filter for the permission you need:
Now you can see in the list all the roles include the permission you need, and you can return to the IAM page:
https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]
And select one of those rules: