750 questions
1
vote
1
answer
65
views
GCloud Error: Caller is missing permission 'iam.serviceaccounts.actAs' on service account [closed]
Situation
This is pretty much my first experience with cloud tools. I'm trying to enqueue (schedule) a cloud task from a cloud function which gets called from my flutter app, the task would at the ...
- 121
0
votes
0
answers
74
views
403 PERMISSION_DENIED on Route Optimization API from Firebase App Hosting Despite Correct IAM & API Setup
Problem Description:
I am developing a Next.js application deployed on Firebase App Hosting. The application calls the Google Cloud Route Optimization API from a Server Action.
Despite carefully ...
0
votes
1
answer
90
views
Cloud Run Fails to Connect to Cloud SQL (Server Not Found) After Exhaustive Troubleshooting
The Problem
I'm attempting to connect a .NET application running on Google Cloud Run to a Cloud SQL for SQL Server instance. I'm using the standard and recommended method with the Cloud SQL Auth Proxy ...
- 700
3
votes
1
answer
108
views
Google Cloud Logging API "Control Requests" Quota Exceeded in Calling Project for Cross-Project Operations
Problem:
Our backend service (in Project A) interacts with resources in Project B (e.g., fetching Logging buckets). While resource-specific quotas (e.g., log ingestion) are correctly consumed by ...
- 1,081
0
votes
0
answers
60
views
Cloud Build/Artifact Registry Permission Denied Error - cloudbuild.gserviceaccount.com Service Account Missing
Dear Stack Overflow Community,
I am encountering a critical deployment issue with my Google Cloud project gvnalgosoftware (Project ID: 511171631078).
I am attempting to build my Flask application as a ...
0
votes
1
answer
518
views
Google Cloud Organization Policy iam.allowedPolicyMemberDomains INVALID_ARGUMENT for Verified Domain
I'm trying to set the Google Cloud Organization Policy constraints/iam.allowedPolicyMemberDomains to restrict IAM members to my organization's verified domain, sksolution.app. However, I'm ...
- 189
0
votes
1
answer
230
views
Firebase Callable Cloud Function (v2) throws 401 Unauthorized when invoked from Flutter app
Setup
I'm using a Firebase Callable Function (v2) to allow an admin user to delete another user from Firebase Authentication.
Cloud Function (functions/index.js):
const { onCall } = require("...
- 1
0
votes
1
answer
199
views
How can I grant permissions on a resource to a dynamic *set* of IAM Principals?
I have some secret values in the GCP Secrets Manager, and I have a couple service accounts I want to be able to access a set of those secrets. Is there any way to link them through some sort of group/...
- 18.2k
-1
votes
1
answer
108
views
How to integrate/access google drive API when deploy in cloud run (trouble when using ADC)
I have developed an application using GCP- using python, and have tested it on local environtment and it was running successfully.
My apps access google drive API using local OAuth credentials.json ...
0
votes
1
answer
53
views
Firebase v2 function loses admin rights
I have a firebase functions file that, in v1, worked perfectly. Upgrading to v2, I use:
const functions = require("firebase-functions/v2");
const admin = require("firebase-admin");
...
- 501
1
vote
1
answer
273
views
Issue with OAuth 2.0 Client IDs
I'm running into an unexpected behavior in the IAM OAuth Clients group and wanted to see if anyone had insight. When navigating the gcp console to Google Auth Platform / Clients & APIs & ...
- 112
0
votes
1
answer
78
views
Firebase error Unable to sync Firebase Auth state
I'm using a service account to deploy using firebase cli from Github action.
This is the set of permissions this account has:
ROLE
roles/cloudfunctions.admin
roles/firebase.sdkAdminServiceAgent
roles/...
- 4,259
0
votes
0
answers
67
views
View what datasets a user have access to in bigquery
I have a project in BigQuery and I have way too many datasets, I have shared access with many users to particular set of datasets(not full project). I want to see a list datasets a particular user ...
- 69
1
vote
1
answer
256
views
Google cloud: run app locally as service account whilst still running gcloud commands as my user
I am developing a cloud run service on google cloud and want to run it locally for testing using the service account I have configured cloud run to run the service as. My user has permission to ...
- 455
0
votes
2
answers
119
views
What is the effect of assigning an IAM role to a domain in GCP?
I came across a GCP project that has a IAM role assigned to a domain (domain:example.com).
What does that do?
- 582
0
votes
0
answers
61
views
Okhttp support for TLS 1.3
My code is trying to connect one application's REST API which is basically moved from TLS1.2 to TLS 1.3
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html
...
- 2,808
0
votes
0
answers
23
views
unable to create a service account keyq
Unable to create service account key on "active-backup-for-google-works@titanium-portal-450112-g6.iam.gserviceaccount.com" project.
Giving an error:
Creating service account key but unable ...
0
votes
2
answers
573
views
List ALL GCP Resources a Tag is attached to
According to GCP Documentation for Tags: To delete a tag value, you must first remove it from all resources. A tag value that is still attached to a resource will not be deleted.
If you have numerous ...
- 81
0
votes
2
answers
274
views
403 iam.serviceAccounts.actAs permission error trying to attach a service account to a resource in another project
I'm testing the required permissions to create a scheduled query on BigQuery.
The scheduled query will be programmatically created in project1 with a service account ([email protected]....
- 111
2
votes
0
answers
231
views
Error creating Group: googleapi: Error 403: Error(2015): Permission denied for group resource '[email protected]'
Problem
I am working on a Google Cloud Project under an Organization. I am trying to create some groups and assigning policies through Terraform. When running Terraform; the Organization Structure is ...
- 51
0
votes
0
answers
10
views
Deny to revoke roles from <User.Group.0*> groups for everyone except Admin team
I need to create a Google Org Policy that would prohibit revoking bound roles only for specific PrincipalSet (Group): User.Group.0* in IAM at the organisation level, but allow it for PrincipalSet (...
1
vote
1
answer
688
views
Unable to acquire impersonated credentials
Im trying to generate signed urls, so i followed the official guide but im getting this error:
google.auth.exceptions.TransportError: Error calling sign_bytes: {'error': {'code': 403, 'message': "...
- 132
0
votes
1
answer
125
views
GCP: Cloud Tasks cannot trigger Cloud Run Function using the authenticated client
I followed the vercel tutorial to authenticate Cloud Tasks in an API route:
let client: CloudTasksClient;
if (process.env.NODE_ENV === 'production') {
client = new CloudTasksClient({
projectId: ...
- 800
0
votes
0
answers
87
views
How to setup a Spring Boot app connecting to MySQL Cloud with IAM authentication with MySQL cloud using PSC endpoint
In GCP, I was able to successfully set up a Spring Boot test app to connect to MySQL Cloud that uses PSC (Private service connect) endpoint using IAM authentication, but it uses the standard MySQL ...
- 341
0
votes
1
answer
89
views
How to get all projects in Cloud Functions?
When I run the following code in Cloud Functions, I can only get the current project.
from google.cloud import resourcemanager_v3
client = resourcemanager_v3.ProjectsClient()
# Search ...
- 1
0
votes
0
answers
61
views
how to get signed url from non public bucket in google cloud storage?
currently i have cloud function to get signed url, I place the service account json in my google secret manager, and access it trough my code. I've test the function in post man, using identity token ...
0
votes
1
answer
104
views
Role based access control in a Python app deployed in GCP Cloud run
We have a react front end and a python flask backend deployed in GCP cloud run, users are configured in google groups and authenticated via IAP.
Now we want to setup role based access control in our ...
- 131
0
votes
1
answer
99
views
python how to check if a user email is added in gcp project's iam
# Replace with your own service account key file path
SERVICE_ACCOUNT_FILE = "/home/myuser/credentials_gcp.json"
from google.oauth2 import service_account
from googleapiclient.discovery ...
- 150
2
votes
2
answers
128
views
Cloud Function whit Authentication IAM ERROR 401 (Flutter/Firebase)
I can't secure our cloud functions. The calls fail when I try to call them with HttpsCallable or HttpsCallableFromUrl. It always gives me a 401 ERROR even though the service accounts appear to be ...
0
votes
1
answer
131
views
Does adding a new user as owner of firebase project and removing the previous owner affect the project?
I am currently working on a React Native project and I set up the Firebase project on my main Gmail account. Now, there were some issues in my main account and I also wanted more security so I created ...
0
votes
0
answers
177
views
Can't set service account properly on dataflow flex-template run
I want to overwrite the default SA used by the dataflow worker e.g [email protected] that get created and used by default if you don't specify anything. ButI want my own ...
- 93
1
vote
0
answers
691
views
Permission denied to publish to pubsub even though the service account has role Pub/Sub Publisher
I have a Cloud Run based micro-service that publishes messages to a GCP PubSub topic that works perfectly well when this service is called from an internal scheduled cron job but when this micro-...
- 2,220
0
votes
1
answer
104
views
How can I set cross-project permissions in a moderately complex architecture in Google Cloud Platform?
I am working with an architecture that spans several Google Cloud services and I need to figure out how I can configure roles and permissions to make the following scenario happen.
There is a pod ...
- 3,282
0
votes
1
answer
364
views
Grant service account access to a single cluster within a project
Use case
We have a test-only cluster that we want to use as part of a Github Actions pipeline. We want the pipeline to be able to do pretty much whatever it likes within the cluster - create/delete ...
- 905
0
votes
0
answers
32
views
BigQuery permissions/access
I need to update data in BigQuery. Data comes from CRM by API . I didn't set up this connection, so I don't understand, what's wrong.
When I try to update Data by running code (python) , I recieve the ...
- 1
0
votes
2
answers
386
views
How to use GitHub immutable values (IDs) in Attribute Conditions?
Configuring auth to Google Cloud from GitHub Actions includes security considerations that make the seemingly sensible recommendation to bind using GitHub's immutable|unique IDs (owner|repo) rather ...
- 41.7k
0
votes
1
answer
697
views
Difference between google cloud default service account and service agent?
I am not completely clear between the difference and the purpose of default service accounts and service agents in google cloud. From the documentation:
Default Service Accounts:
Default service ...
- 1,130
0
votes
2
answers
385
views
Creating a CloudSQL IAM user different than logged in IAM user
I have an application that is using Google CloudSQL (postgres). I am trying to use an IAM user in one of the database using a circleCI orb provided by my organization. But, problem is the orb is using ...
- 1,780
1
vote
2
answers
275
views
Terraform entreprise to GCP Workload Identity returninvalid_grant Error connecting to the given credential's issuer
I have set up a Workload identity Federation for an Terraform Entreprise installed on Azure using a GCP VM Agent.
From TFE I am facing this error
unable to generate access token: Post "https://...
- 351
1
vote
0
answers
411
views
Issue with Firebase App Distribution API - "Request contains an invalid argument" Error
I’m trying to use the Firebase App Distribution API to retrieve release information for my app, but I keep encountering a "Request contains an invalid argument" error.
Project Details:
...
- 51
0
votes
1
answer
181
views
cloudfunctions.functions.getIamPolicy error in Cloud Function when accessing cloud storage
I have a cloud function that is triggered by a pub/sub topic. The cloud function is supposed to read in a filename from the topic, and then download the file using a Python storage client library. The ...
- 107
0
votes
1
answer
487
views
What Are the Minimum Required IAM Roles for App Engine and Compute Engine Default Service Accounts to Deploy with gcloud on a new Project?
In this document, it says:
Depending on your organization policy configuration, the default
service account might automatically be granted the Editor role on your
project. We strongly recommend that ...
3
votes
1
answer
2k
views
gcloud functions deploy fails: One or more users named in the policy do not belong to a permitted customer
I'm trying to deploy a Cloud Function named generate_image with gcloud functions deploy.
Here is the command I am trying:
gcloud functions deploy generate_image \
--gen2 \
--runtime=...
- 1,649
0
votes
0
answers
302
views
Getting HTTP request failed: 403 Client Error: Forbidden for url - When running Http Cloud function from Cloud composer DAG
I am running a DAG in Cloud Composer version 3 to trigger an HTTP cloud function on the same shared VPC. Both GCP services are using the same user-created service account. However, I'm encountering ...
3
votes
1
answer
2k
views
Google Cloud Function - Can't Find Cloud Function Run role
So this is incredibly frustrating. I'm trying to create a simple Google Cloud Function to process an incoming webhook. It needs to be publicly accessible. Ok so I created it, then some folks were ...
- 163
0
votes
1
answer
172
views
How can I implement IAM in my custom Cloud Run service on GCP?
The Cloud Run service I am working on was implemented requiring authentication (IAM managed).
The service should now be extended to handle GitHub events as a GitHub App. As I understand this means the ...
- 3,731
0
votes
1
answer
769
views
Issue with VPC Service Controls and Ingress Policy on Google Cloud
In our organization, we have configured an Access Policy with a scope for a GCP folder.
Here are the details of our configuration:
Access Policy:
Name: accessPolicies/XXXXX
Scope: GCP Folder
Access ...
- 559
0
votes
1
answer
51
views
Can I apply usage qoutas in bigquery on table level rather than project level?
I work for a mid sized company using a GCP backend with dozens of datasets and tables/views that feed into looker dashboards- typically we use 50-60 dollars of big-query data per day for our looker ...
1
vote
1
answer
243
views
In Google Cloud console, safe to grant Firebase Admin SDK role to default compute service account?
In order to use the Firebase Admin SDK in v2 Firebase Cloud Functions, one must grant the "Default compute service account" in Google Cloud console the "Firebase Admin SDK Administrator ...
- 12.5k
0
votes
0
answers
114
views
GCP service-to-service OAuth workaround Cloud Run to Google Forms API
I am hoping to authorise my Cloud Run app (NodeJS + Express + Axios) to be able to Read Google Forms Responses for a handful of Google Forms that I use. The Cloud Run App is to act as an API that ...
- 11