Stack Overflow
Stack Overflow

Questions tagged [gcp-iam]

28 questions
6
votes
2 answers

Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals

Problem Terraform GCP google_service_account and google_project_iam_binding resource to attach roles/editor deleted Google APIs Service Agent and GCP default compute engine default service account in the IAM principals. GKE cluster cannot be deleted…
mon
  • 18,789
  • 22
  • 112
  • 205
5
votes
2 answers

Organization Admin somehow doesn't have access to create a folder in GCP?

I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account). But when I go to Manage Resources, And try to create a…
Jul
  • 375
  • 5
  • 18
4
votes
0 answers

How do I get the email name of the current user retrieved via default credential fetching

I am not using a JSON key. I use the default credential loading mechanism that is used when you create any new client. But what means is there to reflect on the current creds? import google.auth creds, project = google.auth.default() # I can get…
red888
  • 27,709
  • 55
  • 204
  • 392
3
votes
2 answers

instance creation failed: Required 'compute.images.useReadOnly'

I have created a dedicated GCP project with images I want to share with people from other organizations. I gave those people a custom role on the whole project with the following…
hod
  • 51
  • 4
3
votes
2 answers

How to enable Identity and Access Management (IAM) API programmatically for a Google Cloud Project?

I want to use the project.getIamPolicy and setIamPolicy, but it gives me 403 with the error message saying "Identity and Access Management (IAM) API has not been used in project before or it is disabled. Enable it by visiting…
Talha
  • 79
  • 1
  • 7
2
votes
1 answer

How do I generate signed URLs for GCS with workload identity in the C# SDK?

I use workload id for all my GKE deployments. I have an app that needs to generate signed URLs for GCS and it uses the C# SDK. I see no docs on how to do this with workload id only static keys. It looks like I might have to manually call SignBlob()…
red888
  • 27,709
  • 55
  • 204
  • 392
2
votes
1 answer

How to create the GCP workload identity IAM bindings in Terraform?

GCP allows the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account. gcloud iam…
Nitin G
  • 714
  • 7
  • 31
2
votes
1 answer

Permission bigquery.tables.get denied or it may not exist

I am using the AWS Glue connector for BigQuery. My glue jobs were running fine in multiple AWS accounts but suddenly it started failing with the below response in all the accounts together: Access Denied: Table…
cpdevra
  • 21
  • 1
  • 3
2
votes
1 answer

GCP IAM Permission - Service Account not able to have permission

In order to implement CI pipeline from github to gcp, I have configured workload identity. SERVICE_ACCOUNT="xyz" PROJECT_ID="ABC" Service account created by the command: gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \ …
ARINDAM BANERJEE
  • 659
  • 1
  • 8
  • 29
2
votes
3 answers

Could not fetch secret while deploying Google Cloud Function

My deployment of a Google Cloud Function is failing and this is all I'm getting in the logs: Could not fetch secret "projects/xxx/secrets/xxx/versions/latest" for environment variable "xxx". Instance startup will now abort. I've made sure that the…
Pepe Bawagan
  • 61
  • 6
1
vote
1 answer

Trying to remove a a role assigned to a GCP user

Use Case: I am trying to delete all the roles assigned to a principal inside a GCP project. As I understand you can't perform that operation directly. I am referring here: https://cloud.google.com/iam/docs/samples/iam-modify-policy-remove-member To…
PiaklA
  • 495
  • 2
  • 7
  • 21
1
vote
0 answers

About the problem of using GCP to establish an L2TP tunnel: cannot succeed, 619 or 800 error

Current date 2023-1-15 test, The script used is: https://github.com/hwdsl2/setup-ipsec-vpn Test system Debian GNU/Linux 11 (bullseye) GCP virtual computer hardware configuration: E2-small Ports are all open! HTTP/HTTPS/IP Forwarding: Checked I'm not…
weekend
  • 11
  • 1
1
vote
0 answers

Creating google_project_iam_binding deletes google_project_iam_member

I'm creating a Cloud Run service to act upon PubSub trigger using Terraform. I've added the relevant terraform code, and besides that I also have the following portion already defined: # bind token creations permission to the default app engine…
galah92
  • 3,621
  • 2
  • 29
  • 55
1
vote
1 answer

Automated Notification of the expiry of Service Account Keys

We have a lot of user managed SA keys with a set expiry date & we want to get the notification of expiry keys via email & would like to receive a notification of service account keys expiration days before they do expire.
Gaurav Gupta
  • 11
  • 1
1
vote
3 answers

Unable to Access CloudSQL MYSQL5.7 From Service Account Using CLI

I have simple cloudsql instance for MYSQL_5_7 with enable_iam_authentication flag on. I have added service account or IAM user and want to access the instance using mysql client. I am using cloudsql auth proxy: ./cloud_sql_proxy…
mayank agarwal
  • 33
  • 6
1
2