google-cloud-iam | 易学教程

How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

阅读更多关于 How to list, find, or search iam policies across services (APIs), resource types, and projects in google cloud platform (GCP)?

问题 In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud). Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects? This is needed to answer questions like: What roles does a service account have? Which resources are shared publicly? Do policies contain deleted users? Does a user still appear in any policies after they leave my company? Does a user has a given

List ALL users of GCP account/Organization

阅读更多关于 List ALL users of GCP account/Organization

问题 I have an organization in GCP with multiple projects in it. Is there any way to list ALL project users and their roles without having to access project by project? I was using gcloud projects get-iam-policy PROJECTNAME , but list users for a single project, and I have a few hundreds. Thanks. 回答1: You can use the following command in the Cloud Shell to fetch all projects and then show the iam-policy for each of them: for i in $(gcloud projects list | sed 1d | cut -f1 -d$' '); do gcloud

Your application has authenticated using end user credentials from the Google Cloud SDK which are not supported by the translate.googleapis.com

阅读更多关于 Your application has authenticated using end user credentials from the Google Cloud SDK which are not supported by the translate.googleapis.com

问题 After reading similar questions, such as: i am using gcp service account but when calling dialogue flow api its giving error : and Why is Google Cloud API trying to connect as an end-user? and applying the suggested solutions I am still getting the error: Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden { "code" : 403, "errors" : [ { "domain" : "usageLimits", "message" : "Your application has authenticated using end user credentials from the Google

How do I list all IAM users for my Google Cloud Project

阅读更多关于 How do I list all IAM users for my Google Cloud Project

问题 I'd like to be able to list all users and service account associated with my projects (preferably using the gcloud CLI tool, but happy to make an API call if needs be). I can easily list all the service accounts associated with a project using this, but how can list all the users too? I'd expect something like the following, but I cannot see anything in the doco: gcloud beta iam users list 回答1: List all service accounts in a project The following command lists all service accounts associated

Best auth strategy for GCP client tool

阅读更多关于 Best auth strategy for GCP client tool

问题 I want to build a client gcp tool in python. I want to avoid invocations of the glcoud tool via subprocess so I opt for sdk client library invocations. According to the docs as also this very and comprehensive article, there are two options for auth: a) using the application default credentials (i.e. the ones used by gcloud under the hood) b) using a service account and pointing the app to the corresponding .json file. I have already tried the (a) and got the following warning: UserWarning:

Google Pub/Sub push message not working for IAP enabled app engine

阅读更多关于 Google Pub/Sub push message not working for IAP enabled app engine

问题 I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain. I do not see any of the push requests being processed by my app. I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed. 回答1: Note

Allow one VPC and deny others in a VPC Service Perimeter GCP

阅读更多关于 Allow one VPC and deny others in a VPC Service Perimeter GCP

问题 I have created a VPC Service Perimeter for a project in GCP and added Google Cloud Storage to it. Is there a way in GCP to allow access to Google Cloud Storage API (via gsutil or any other means) only to the VMs or resources in a particular VPC? If I have three VPCs ( vpc-a , vpc-b and vpc-c ), I want only the instances in vpc-a to access the Cloud Storage buckets and VPC Service Perimeter to deny access to resources from vpc-b and vpc-c . All my instances will be private (no public IP

Dataflow setting Controller Service Account

阅读更多关于 Dataflow setting Controller Service Account

问题 I try to set up controller service account for Dataflow. In my dataflow options I have: options.setGcpCredential(GoogleCredentials.fromStream(new FileInputStream("key.json")).createScoped(someArrays)); options.setServiceAccount("xxx@yyy.iam.gserviceaccount.com"); But I'm getting: WARNING: Request failed with code 403, performed 0 retries due to IOExceptions, performed 0 retries due to unsuccessful status codes, HTTP framework says request can be retried, (caller responsible for retrying):

Dataflow setting Controller Service Account

阅读更多关于 Dataflow setting Controller Service Account

I try to set up controller service account for Dataflow. In my dataflow options I have: options.setGcpCredential(GoogleCredentials.fromStream(new FileInputStream("key.json")).createScoped(someArrays)); options.setServiceAccount("xxx@yyy.iam.gserviceaccount.com"); But I'm getting: WARNING: Request failed with code 403, performed 0 retries due to IOExceptions, performed 0 retries due to unsuccessful status codes, HTTP framework says request can be retried, (caller responsible for retrying): https://dataflow.googleapis.com/v1b3/projects/MYPROJECT/locations/MYLOCATION/jobs Exception in thread

Google Pub/Sub push message not working for IAP enabled app engine

阅读更多关于 Google Pub/Sub push message not working for IAP enabled app engine

I am testing out a very basic Pub/Sub subscription. I have the push endpoint set to an App I have deployed through a Python Flex service in App Engine. The service is in a project with Identity-Aware Proxy enabled. The IAP is configured to allow through users authenticated with our domain. I do not see any of the push requests being processed by my app. I turned off the IAP protection and then I see that the requests are processed. I turn it back on and they are no longer processed. Note: This answer uses BETA commands and features. To enable IAP enabled App Engine access to Pub/Sub push