I need to setup very fine-grained access control for service accounts in GCP. I am seeing this error:
"user SERVICE_ACCOUNT does not have bigquery.jobs.create permission in
project PROJECT_ID".
I know that via UI/gcloud util I can give it role roles/bigquery.
user, but it has a lot of other permissions I don't want this service account to have.
How can I grant individual permissions via gcloud/UI or some other means?
You can configure IAM directly in the Google Cloud Console:
https://console.cloud.google.com/iam-admin/iam/
Service accounts are designed to be used for server side applications e.g. VMs, AppEngine etc. In other words:
[It's] an account that belongs to your application instead of to an
individual end user. Your application calls Google APIs on behalf of
the service account, so users aren't directly involved.
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
The service account can have different BigQuery IAM roles assigned to it via the console, like so:
You add also add individual users (emails backed by a Google account) to IAM using the console, and then select which permissions they individually should have in BigQuery, like so:
BigQuery permissions & roles are defined here.
You can use Custom Roles, visible in the IAM section:
Create a role with the specific mix of permissions you need. Then it will appear in 'Custom' on the IAM role assignment page and will be available via the API.
For your specific use case, try the following in your custom role:
bigquery.jobs.create
bigquery.jobs.get
bigquery.tables.create
bigquery.tables.update
Related
I'm trying to manage multiple outlook calendars using a single account as a proxy, so all other accounts share their personal calendar with this "master" account and within this one i can add, edit or delete events "for everyone".
The problem is that i can't get the account grant the Calendar.ReadWrite.Shared to the app, even though that in my app this permissions are configured as recommended.
Azure portal - app permissions:
permissions of the app in azure portal
msalconfig:
msal configuration used
The "funny" thing is, with the account used to create the app in the first place everything works, but with any other account not.
I even created another app with the intended final account and nothing. This is the, incompplete permissions, resul:
actual result
This is the desired result:
desired result
If you just want to make a proxy to modify calendars for all users, have you tried application-only Auth and grant Calendars.ReadWrite permission with application type to it? Based on this permission official comment: Read and write calendars in all mailboxes which seems to meet your requirement.
TL;DR
How can I delegate my user permissions to a service principal in Azure Ad when the usual interactive way (e.g. web app with consent screen popup) is not feasible? This is because I cannot configure the MSI in the Azure Portal properly to work that way.
More detail
I want to grant an application permission to access the Graph API on behalf of a user. Usually, this is a well-documented scenario in which you create an app registration, acquire delegated user permissions by asking permission for the needed scopes, and then use these permissions in the app.
The app that needs Graph access is a background service that is to work on its own without user intervention/activity. For this use case, the common approach is to use application permissions. In my case this is not feasible, because application permissions require admin-consent and are all-or-nothing kind of permissions. There is no way this will be granted for me. Rightfully so, because its overkill.
But on the other hand that's really a pity. A pity, because I've found an example on how to assign Graph API application permissions directly to a Managed Service Identity rather than to a self-registered app. And my service (as an Azure Functions app) already has a MSI assigned to it. So this would be the perfect fit, b then again, there is no way I'll get those application permissions.
So what is the workaround? We have this one user principal which has all the required permissions we need for our background service. What I want to do is to delegate this user's permissions to the Function App/MSI. In order to do this, I used this SPA-template by the MSAL team to have something that will prompt me the permissions popup.
This however failed because the implicit oauth flow was not enabled. To remedy this, you usually need to update the app manifest in the portal. However, since this is a MANAGED service identity, and not a self-registered one, the MSI is not listed in the portal under app registrations. So I cannot set this property to true.
Doing the same via Azure CLI also failed because apparently the MSI is not identified as an app.
az ad app update --oauth2-allow-implicit-flow true --id <appId_of_MSI>
This yields the following error:
ResourceNotFoundError: Resource '<appId_of_MSI>' does not exist or one of its queried reference-property objects are not present.
It shows fine when doing this
az ad sp show --id <appId_of_MSI>
So in summary: I cannot complete the process of delegating that user's permissions interactively. Is there any other way? Maybe via CLI?
The fallback the solution is to create a separate unmanaged/self-registered app identity. But I want to really avoid this because then I would need to manage and rotate client (app) credentials again, which the MSI took care of for me.
Why o why can't I just assign fine-scoped application permissions 😒
Any help on this is greatly appreciated. Cheers.
In my experience Managed Identities don't support the scenario you are suggesting.
They do not have an app registration and in that way cannot authenticate users interactively.
I would go with your fallback solution; a normal app registration and use that to access Graph API on behalf of the user.
This is what we do in our projects at least.
App permissions -> Managed Identity if possible. Delegated permissions -> normal app registration + secret/certificate in Key Vault, retrieved with Managed Identity.
I'm a newbie on GCP and going to transfer tables from azure blob storage to the cloud bucket.
I follow the instructions here (use data fusion).
When I finished deploying the pipeline and was going to run it, I got an error and in the advanced log is said
INVALID_ARGUMENT: User not authorized to act as service account '####-compute#developer.gserviceaccount.com'.
I looked through several documentation and also tried looking for answers on stackoverflow but none of them work for me.
How should I grant access to a service account and which service account should I be attached to?
Now on my IAM/service accounts console, I am also assigned as Service Account User, and I only have two default services one for compute engine and one for app engine.
Really don't know what to do. Thanks in advance for any help!
You need to grant the Service Account User role. Here is an example of that. This should be perofrmed to the current user/service account you are using to run the job. As exemplified below:
Go to the IAM & Admin Console
Click on IAM
Select the member you are using to run your job
Click on the pen icon in the right side of the member's info
Add the Service Account user role
In general terms, the error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the job.
Keep in mind that service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.
I'm getting 403 forbidden access when trying to fetch all the groups from Microsoft graph using ASP.NET Web API, and here is my code to get all the groups:
String jsonResponse = MicrosoftGraphHelper.MakeGetRequestForString (
String.Format("{0}users/{1}/memberOf",
MicrosoftGraphHelper.MicrosoftGraphV1BaseUri,
upn));
var userGroups = JsonConvert.Deser
What are the required permissions in both Delegated and Application tabs for fetching both users and groups? Do I need Application permissions since this is an API and my UI is deployed in azure separately? I'm confused with the list of permission options and with admin consents.
Firstly, here's a great read in case you haven't seen it yet.
Delegated permissions, Application permissions, and effective permissions - Microsoft Graph permissions reference.
What are the required permissions in both Delegated and Application tabs for fetching both users and groups?
You can understand the required permissions for each api by looking at relevant documentation. With the information you've shared in your question..
For users/{1}/memberOf it will be List memberOf
For getting all groups - List Groups
If it's just these two calls in your application, Directory.Read.All would be the least privilege required. In case there are other calls, look at their documentation.
Do I need Application permissions since this is an API and my UI is deployed in azure separately?
This will depend on whose context do you acquire the token to call Microsoft Graph API. Share a little more information on your code.. OAuth flow you use to acquire token and you might get better suggestions specific to your application. In general though,
If you acquire the token as a user, then Delegated permissions (Example if you acquire token by prompting the user for credentials and from a flow perspective if you're using say Authorization code or Implict grant flow)
If you acquire the token as an application, then Application permissions (Example if you use only clientId, clientSecret/certificate to acquire token using Client Credentials flow)
Admin Consent is required or not?
This depends on what permissions you finally end up deciding as required for your application.
You can see it directly in Azure portal.. when setting required permissions fro your application, each permission has a yes or no next to it to indicate whether Admin consent is required or not. Just as example see screenshot below.
Microsoft Graph Permissions Reference.. the first link I had shared has all permissions documented. Example here is one that is relevant for you.
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)