I created a service account and gave it Viewer access in IAM. Downloaded p12 key for the service account and used it to access Cloud Project using remote_api. Even though only Project Viewer access is granted, I can update data-store entities using the remote_api.
Is this a bug or expected behavior? If it is expected, how can I give read only access via remote_api to the Cloud Project?
Related
I am following this tutorial to use Google Cloud Storage from my AppEngine application. Older storage libraries are working fine, but after migrating to Google Cloud Java Libraries, I can't read my buckets anymore.
This is the tutorial I am following: https://github.com/googleapis/java-storage
In which the key part is the usage of Application Default Credentials: https://github.com/googleapis/java-storage#creating-an-authorized-service-object
To make authenticated requests to Google Cloud Storage, you must create a service object with credentials. You can then make API calls by calling methods on the Storage service object. The simplest way to authenticate is to use Application Default Credentials. These credentials are automatically inferred from your environment, so you only need the following code to create your service object:
Storage storage = StorageOptions.getDefaultInstance().getService();
I hope to be able to do this because this is running inside AppEngine, so Storage lives in the same project as the AppEngine code.
I am using the default service account. This service account has "owner" role in IAM configuration, and "storage object administrator" in the bucket itself.
However, I keep getting this login error:
com.google.cloud.storage.StorageException: Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket.
at com.google.cloud.storage.StorageException.translate(StorageException.java:118)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:287)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.get(HttpStorageRpc.java:479)
at com.google.cloud.storage.StorageImpl.lambda$get$4(StorageImpl.java:270)
at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
at com.google.cloud.storage.Retrying.run(Retrying.java:54)
at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1406)
at com.google.cloud.storage.StorageImpl.get(StorageImpl.java:269)
Probably I am missing some configuration or IAM access. Thank you in advance.
I created a custom tensorflow model and deployed to google cloud AI platform. To access the online prediction at (https://ml.googleapis.com/v1/projects/my-project/models/my-model/versions/my-version:predict),
I can use default auth token got with the following command:
access_token=$(gcloud auth application-default print-access-token)
or, according to: https://cloud.google.com/ml-engine/docs/python-client-library, I can create a service account key, download it, and use it to in an outh2 authentication protocol.
The problem arises when I want to access the online prediction from another API that I am deploying in Google Cloud Platform: in this case the command above doesn't work and I can't access to any file to sign my jwt for authentication. How can I create my jwt without accessing to any file?
I'm developing an admin page for my webpage. I'm using GAE and security-constraints. I would like to know which role-name are available and how I can define which Google Accounts could access a specific page.
When using Google App Engine, these are the pre-defined roles available:
roles/appengine.appAdmin: The App Engine Admin (read/write/modify access to all the configuration and settings of the app)
roles/appengine.serviceAdmin: The App Engine Service Admin (read-only access to app configuration and settings, write/modify access to module/version-level settings, can't deploy new versions)
roles/appengine.deployer: The App Engine Deployer (read-only access to app configuration and settings, write access to create new versions only, can't modify versions except for deleting those without traffic)
roles/appengine.appViewer: The App Engine Viewer (read-only access to app configuration and settings)
roles/appengine.codeViewer: The App Engine Code Viewer (read-only access to app configuration, settings and deployed source code)
These roles are explained in more detail here.
In order to establish the permissions for accounts to access the application, Google Cloud relies on IAM (Identity and Access Management), where you can create service accounts for accessing the app (as well as define roles for project members, including service accounts and Google accounts).
There are various ways to define permissions for access control, but I would recommend using the Cloud Console for it. Inside the console, go to the IAM page and select the project you want to define access control rules. These are the operations that you can do inside the IAM page:
Add team members (Google or service accounts.
Grant them one or more roles.
Change team member's access.
Revoke access to team members.
You can check this link for further info about how to manage roles and permssions using IAM.
In the Developer Console UI I cannot edit data as expected with this 'can view' user. However I am able to write to datastore by connecting to our Remote API Servlet on App Engine. From what I can tell, you can only apply an admin security constraint to servlets on App Engine but this still opens it up to all members of the project wether they are an owner, can write or can view. And then I'm guessing the Remote Api uses the default app engine service account which has write permissions.
Is there any way to completely lock an account down to be read only if you also want to use the Google Remote API? Is this not considered a flaw with the Remote API?
This is intended behaviour. Any administrator of the app - no matter in what role - can access the app using the remote api. Remote API does not use the default service account, it is merely a bridge to the datastore API that is tunneled over HTTP.
If you want to lock down to read for a given user, build your own REST Api that provides readonly access.
Looking for the best current approach for admins of a Google Apps domain to modify the permissions of a Google Drive object owned by other users. I'll be developing the app on Google App Engine.
It was straightforward using 2 legged OAuth and the Google Documents List API: https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth but now that Google Drive SDK is the live API, I see that service accounts are the encouraged method: Does google Drive api support 2 legged oauth? and https://developers.google.com/accounts/docs/OAuth2ServiceAccount . So I'm following an example that uses this approach and the Prediction API: https://developers.google.com/appengine/articles/prediction_service_accounts and you cannot use the GAE service account in the Team section of the API console. Get an error: "User xxx#appspot.gserviceaccount.com may not be added to project "New Proj Name". Only members from domain myappsdomain.com may be added.
So, I'm basically asking:
1) How do you use service accounts with Google Drive SDK for admin tasks like changing permissions
2) And any working GAE service account tutorials using the Drive API that work with non-domain users.
The documentation about Service Accounts and user impersonation has just been added:
https://developers.google.com/drive/service-accounts
https://developers.google.com/drive/user-impersonation
Unfortunately, App Engine Service Accounts are not supported by Google Drive yet.