Questions tagged [google-iam]
38 questions
0
votes
1 answer
Mapping an IAM role to a Cloud Identity organizational unit
In the GCP IAM console, I can add either the entire organization (the domain of example.com) or individual users to Roles. However, I have the users setup in GSuite/Cloud Identity and organized into OUs that I'd like to use.
Is there a way to map…
![](../../users/profiles/62326.webp)
David Hergert
- 115
- 6
0
votes
1 answer
Access denied (SA doesn't have storage.objects.create access) when trying to upload using a preSigned url to google cloud storage
Having issues trying to allow a client to upload a file via a presigned url.
Error received
Access…
AccessDenied
![](../../users/profiles/592513.webp)
James
- 1
- 1
- 1
- 1
0
votes
1 answer
QueryTestablePermissions response doesn't include "AcessContextManager.*" permissions
Based on this documentation : https://cloud.google.com/iam/docs/custom-roles-permissions-support
There are several permissions with prefix : AccessContextManager. But After I ran the API : QueryTestablePermission, it doesn't include those list.
Also…
![](../../users/profiles/591646.webp)
purnadika
- 101
- 4
0
votes
1 answer
Compute OS Admin Login role doesn't make user sudoer
I have a user with the Compute OS Admin Login role, but when I log in using ssh, this user is not a sudoer. I've tried to restart the instance, but still the same. I've tried with enable_oslogin:TRUE both at the instance level and at the project…
![](../../users/profiles/344396.webp)
Rhangaun
- 179
- 1
- 15
0
votes
1 answer
Can a service account access all APIs?
For an api-key, one can define which APIs can be accessed with that api-key, but for service accounts, you seemingly can't. I thought maybe I could create a new role that only allows access to the vision API, but there is no permission for that.
How…
![](../../users/profiles/259201.webp)
ASA
- 119
- 1
- 4
0
votes
1 answer
How do I determine the least privilege permissions for a service account applying Terraform plans?
EDIT: Since I can't "trigger" Recommender to make this calculation, and I can't get at the source dataset, is there an automated way of finding the IAM permissions a service account would need to apply a Terraform plan? The original question was…
![](../../users/profiles/411195.webp)
Larry B.
- 109
- 3
-1
votes
2 answers
Allow multiple service accounts to access multiple storage buckets
I have some devices, and each will be handled to the customers. I need each device to have read-access to some Google Cloud storage buckets. I would like each of device (or at least each customer) to have a different service account so I can…
![](../../users/profiles/387665.webp)
Hugal31
- 99
- 3
-2
votes
1 answer
How do I enable only a single Cloud SQL DB for a GCP service account?
I have a service account that should only have access to a single instance of Cloud SQL. In GCP, I've been trying to create a role with conditional access to the instance.
The instance name of the DB is test-sandboxy, and I've taken a screenshot of…
![](../../users/profiles/151275.webp)
CallMeNorm
- 129
- 4