I have so many appengine projects running on different google accounts. I have forgotten which google account I have used for one of my appengine projects. Is there a way to find out the google account id based on my project id?
There is not; this would likely be a security concern if it were possible.
The solution would be to iterate over all your accounts and test each account in turn -- like a key -- in the project's lock until you -- hopefully -- find one that works.
You'll want to identify a command that you consider sufficient to determine that you have access, perhaps:
gcloud projects describe ${PROECT}
Then you could iterate across all your authenticated accounts, trying this command:
for ACCOUNT in $(gcloud auth list --format="value(account)"); do
gcloud projects describe ${PROJECT} --account=${ACCOUNT}
done
UPDATE
More cute (but in full-disclosure I find gcloud filter|formatting challenging cf to jq):
for ACCOUNT in $(gcloud auth list --format="value(account)"); do
ROLE=$(\
gcloud projects get-iam-policy ${PROJECT} \
--flatten="bindings[].members" \
--filter="bindings.members=user:${ACCOUNT}" \
--format="value(bindings.role)")
printf "%s\t%s\n" ${ACCOUNT} ${ROLE}
done
Related
I created App Engine custom domains with my own GCP user account.
If I run this command as that user I see a resourceRecords: field with all the A and AAAA records:
gcloud app domain-mappings describe 'mydom.com'
If I run the SAME command as a different user (one that has app engine admin and viewer roles) I see the resourceRecords: field with only a CNAME record. Why is this?
No permissions errors, no other errors. The SAME command run by different users returns different values from the describe API.
This behavior is unexpected. How/why is this happening?
I run Terraform centrally with a GSA. That GSA is getting different data from the API because of whatever this behavior is doing plans return incorrect info.
EDIT:
There is now an official bug report for this (please star it!) https://issuetracker.google.com/issues/207364598
I found the reason for this frustratingly bizarre and unhelpful and poorly documented behavior.
I found the issue through this SO post: How to use Terraform `google_app_engine_domain_mapping` with service account?
If you are not an "owner" for the domain as defined here the API will indeed not return the IP address list and also not bother throwing any kind of helpful warning message.
While my question wasn't terraform specific it looks like you might be able to terraform the whole thing with the help of this custom provider: https://github.com/hectorj/terraform-provider-googlesiteverification.
Also, I tried adding the email of a google group as an owner and that did not seem to work. Individual users must be added.
There is an official bug for this (please star so google fixes it!): https://issuetracker.google.com/issues/207364598
Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.
It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error:
You don't have permission to view API keys, OAuth clients, and service account keys.
Roles/Permissions:
-App Engine Admin
-Cloud Functions Developer
-Cloud Datastore Owner
-Service Account Admin
-Source Repository Administrator
-Storage Admin
So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.
I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:
"Custom API"
container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update
"Custom Client Auth"
clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.
You can go to the roles page:
https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]
And there you can filter for the permission you need:
Now you can see in the list all the roles include the permission you need, and you can return to the IAM page:
https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]
And select one of those rules:
Somehow one of my google cloud projects got deleted. I don't know why and how but I got an email which explained that I have one month to reactivate it without a notice who deleted it initially.
Now I want to undelete this project with the gcloud command:
gcloud projects undelete <projectId>
but it fails with the following message:
ERROR: (gcloud.projects.undelete) FAILED_PRECONDITION: Parent
organization is not active
- '#type': type.googleapis.com/google.rpc.PreconditionFailure violations:
- description: Parent organization is not active
If I try to describe the given organization id with the command:
gcloud organizations describe <organizationId>
it fails with something like "This organization does not exist".
I also tried to undelete it with the Google Cloud Console but it also fails (without a real error message).
How can I undelete my project? And if this is a serious issue, how can I contact Google Support without having the Gold Support membership?
The error message you’re getting means that you are trying to undelete a project that is still part of an organization that no longer exists.
As the organization no longer exists it doesn’t allow you to restore the project, since projects belong to an organization, as can be seen in the GCP resource hierarchy tree.
The following documentation 1 and documentation 2 provide information for the support options that you can have.
I have recently used omniauth-google-oauth2 gem in one of my rails 5 application for authenticating users, and it is working fine. The application is intended for specific group of users, in my case students of a university. All users have a google account with email addresses ending with #ait.asia or #ait.ac.th.
Is it possible to restrict authentication to only above mentioned users. i.e. only users with email addresses ending with #ait.asia or #ait.ac.th?
You can pass a list of Google Apps hosted domains to the hd option when you are adding the OmniAuth middleware to your application.
So, in your case, you can make a initializer like this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2,
ENV["GOOGLE_CLIENT_ID"],
ENV["GOOGLE_CLIENT_SECRET"],
hd: %w(ait.asia ait.ac.th)
You can see a complete list of the configuration options here
I can't find it.
https://cloud.google.com/appengine/pricing talks about it but doesn't say where.
This one says it's in the billing section, but the billing section lists my billing accounts and inside an account I can't find it either.
Using the new console, you can change your billing from your App Engine settings:
https://console.developers.google.com/project/your-app-id/appengine/settings
Make sure you've linked your project to a billing account. To do this, head over to your project-level settings:
https://console.developers.google.com/project/your-app-id/settings
If that still doesn't work, try the old console:
https://appengine.google.com/billing/billing_status?&app_id=s~your-app-id.
You must prepend the "s~" to your App ID in the old console URL if your app uses High Replication Datastore (very likely).