0

I created a service account to use with Cloud Translate API (from my app), and have noticed that I can make the call even thought I have not assigned it any roles!!!

I have verified (based on this answer) via gcloud projects get-iam-policy MYPROJECTID and the service account I used has no roles associated....

I thought service account would need at least "Cloud Translation API User" role in order to work....

  1. How do I restrict the service account to only be able to use the Translate API
  2. If this is not possible, does this mean that some APIs are accessible by any service account in project?

Thanks Z

zam6ak
  • 7,229
  • 11
  • 46
  • 84
  • Are you certain that you're using the service account and not other credentials when you're making the call? A service account with no roles has no access. The probability (not certainty) is that you're actually making the call using credentials that do have permission. – DazWilkin Apr 02 '19 at 00:38
  • @DazWilkin I am 99.999% certain. I export `GOOGLE_APPLICATION_CREDENTIALS` pointing to the path of the JSON file containing service account credentials. I can then see that service account made a call using API & Services Dashboard > Credentials > "Service Specific Usage (last 30 days)" (grid column). It also is the *only* service account in that project... – zam6ak Apr 02 '19 at 12:41
  • I'm going to try it. – DazWilkin Apr 02 '19 at 15:47
  • Hmmm..... Curious. Yes, I see the same behavior. Checking with engineering. – DazWilkin Apr 02 '19 at 16:01
  • @DazWilkin any updates you can share? – zam6ak Apr 23 '19 at 12:52
  • I didn't receive a response to my request but I think I know the answer. I assume (!) that the Translate API is *not* (yet) integrated with IAM. It's only possible to access IAM-integrated services with credentials that have the appropriate roles. For non-IAM-integrated services the only way to constrain authorization is through OAuth Scopes. So, Q1 -- you can't (currently) unless Translate is the only API-enabled in the proejct; Q2 -- yes. – DazWilkin Apr 29 '19 at 04:01
  • @DazWilkin thanks...I wish this was in the docs somewhere :( (unless I missed it) – zam6ak May 15 '19 at 13:51
  • You're welcome! I agree. Please consider filing a feature request using Google's [Issue Tracker[(issuetracker.google.com). It's always more impactful coming from a customer. – DazWilkin May 15 '19 at 14:42
  • How are you accessing the Translate API (through one of the SDKs [which?] or the API directly)? Google Engineering confirmed that the v2 API does not implement IAM but v3beta1 does: https://cloud.google.com/translate/docs/quickstart-client-libraries-v3 https://cloud.google.com/iam/docs/understanding-roles#cloud-translation-roles – DazWilkin May 20 '19 at 18:57

1 Answers1

1

The Translate API v2 isn't integrated with Cloud IAM, but the V3 is and that's why there are Cloud Translation roles (which also apply for the Cloud AutoML Translation service).

Regarding Question 1: For non-IAM-integrated services the only way to constrain authorization is through OAuth Scopes. So, for Translation API v2 you can't restrict the service account to use only this API unless Translate is the only API-enabled in the project.

Regarding Question 2: API services not integrated with Cloud IAM can be accessed using only a service account, even if it doesn't have any roles (because there are no Cloud IAM roles associated with the service yet).

Héctor Neri
  • 1,384
  • 9
  • 13