Can I combine private publishers and public subscribers? - google-cloud-pubsub

Is it possible to configure Google Cloud Pub/Sub so that you can have any number of anonymous subscribers to a topic reading messages while the content of the published messages is controlled by an authorized publisher with an account on Google Cloud?
For example, let's say I'm building an application that publishes GOOG stock ticker price every second. I want anyone on the internet to be able to subscribe to my application to get the stock price. However, no applications except my own should be allowed to publish the price. I need to understand if this is possible.

It is possible to setup this kind of message distribution scenario using Google Cloud Identity and Access Management (IAM). Once the topic is created (e.g. /topics/goog), the topic needs to be setup with IAM roles/pubsub.publisher permission for your application's account. This can also be a IAM service account for your application.
Next, you will need to create a subscription for the /topics/goog topic (e.g. /subscriptions/goog) and configure the IAM permissions for the subscription. You should give IAM allUsers permission to the /subscriptions/goog topic.
Once this configuration is setup, then only the authorized account will be allowed to publish to /topics/goog and any internet connected user will be allowed to pull messages from /subscriptions/goog

Related

Register domain using Cloud Domains

I'm trying to purchase a new domain using Google's Cloud Domains service for a GCP project (it is a webapplication running in the Appengine). I was following the quickstart guide, but the Register Domain button is disabled for me. When hovered over, it says
Quota for domain registrations has been reached
eventhough I haven't ever registered a domain. The Quotas page states that the quota limit for registering domains is set to 0, but I can't change it. Billing is enabled for the project.
Can anyone help, what do I have to set somewhere to obtain a domain? Or is there a more optimal way of registering a custom domain to an Appengine application without using Google Domains (it is not available in my region)?
To view quotas or request quota increases, Identity and Access Management (IAM) principals need one of the following Cloud Domains roles:
To check quotas for a project you should require a project role(Cloud Domains Viewer (roles/domains.viewer)).
Modify quota, request additional quota you should require project role Cloud Domains Admin (roles/domains.admin Or Project Owner role (roles/owner), Project Editor role (roles/editor) ).
For more information refer to this link.
Please note that requesting a quota increase can take from 24 to 48 hours for approval. Refer to this link for more information.

User not authorized to act as service account

I'm a newbie on GCP and going to transfer tables from azure blob storage to the cloud bucket.
I follow the instructions here (use data fusion).
When I finished deploying the pipeline and was going to run it, I got an error and in the advanced log is said
INVALID_ARGUMENT: User not authorized to act as service account '####-compute#developer.gserviceaccount.com'.
I looked through several documentation and also tried looking for answers on stackoverflow but none of them work for me.
How should I grant access to a service account and which service account should I be attached to?
Now on my IAM/service accounts console, I am also assigned as Service Account User, and I only have two default services one for compute engine and one for app engine.
Really don't know what to do. Thanks in advance for any help!
You need to grant the Service Account User role. Here is an example of that. This should be perofrmed to the current user/service account you are using to run the job. As exemplified below:
Go to the IAM & Admin Console
Click on IAM
Select the member you are using to run your job
Click on the pen icon in the right side of the member's info
Add the Service Account user role
In general terms, the error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the job.
Keep in mind that service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.

App Engine authentication to access google cloud resources

I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.

gmail-api for server side email downloads

I have a google business apps account.
My requirement is to scan all emails of my support email and process them.
This has to be done on the server side without any manual interaction.
I am able to make this work with IMAP, but i am looking at making this work with Google API.
This doesn't work with the Google API unless i do manual client consent.
Or i need to use the service account, in which case i have to get a domain wide access although my requirement is only for one email id. This is against my company's information security policy hence cannot use this option.
Require help on how i can use Google API to do the integration between my server and gmail server at a individual email account level. Any suggestions?

Trying to understand if I need to give domain-wide authority to my appengine service account so that it can access data on Google Drive

I have an appengine app that stores documents in a Google Docs account. It uses the Documents List API to communicate with Google Docs but I am now trying to migrate it to use the Drive API as the Documents List API is supposed to be shutdown on 4/20.
I would like to know if I need to grant any special permissions for my appengine app to be able to access the Drive account and read/write documents from it. i.e., do I need to add a row on this screen?
The Google Docs account under which files are stored by my current app is of the form user#xyz.com where xyz.com is a domain name that I purchased through Google and that is aliased to my appengine app. Further user#xyz.com is an owner of my appengine app.
Yes.
Delegate domain-wide authority to your service account
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar
Click the Authorize button.
Your service account now has domain-wide access to the Google Drive API for all the users of your domain, and potentially the other APIs you’ve listed such as the Calendar API in the example above. You are ready to instantiate an authorized Drive service Object on behalf of your Google Apps domain's users.
When you make the calls, you will have to impersonate the user whose account you want to access, i.e. user#xyz.com

Resources