How to figure out which resource to enter in Google Cloud Policy troubleshooter?
I'd like to give a colleague permission via IAM on a Google Cloud Monitoring resource. He send me the error message
Error loading /monitoring/alerting/incidents/[incident id]?project=[project]
and the roles that are necessary to proceed from the error message:
monitoring.incidents.get
stackdriver.projects.get
I assume that I can use Policy troubleshooter in order to list the required role I need to assign in IAM, but maybe that's a misunderstanding.
Assuming that can use the troubleshooter, I entered my colleagues e-mail address which is used for Google Cloud login as well as one pair with Permission monitoring.incidents.get. I tried the following for Resource:
/monitoring/alerting/incidents/[incident id]
/monitoring/alerting/incidents/[incident id]?project=[project]
//monitoring/alerting/incidents/[incident id]
//monitoring/alerting/incidents/[incident id]?project=[project]
//monitoring/alerting/incidents
//monitoring.googleapis.com/alerting/incidents/[incident id]
//monitoring.googleapis.com/alerting/incidents/[incident id]?project=[project]
//monitoring.googleapis.com/alerting/incidents
The UI doesn't provide any support in filling out this field nor any feedback in the error message. As far as I understand the docs the full form with monitoring.googleapis.com is expected.
I don't have logging turned on, so I cannot use the Log explorer as suggested.
Google's IAM permissions reference provides a table mapping permissions to the pre-defined roles that contain them.
This table is searchable, so you should be able to pop in the target permission to find predefined roles that already contain it. Then, you just need to scan through the results looking for a role that makes sense for your use-case. For example:
While this generally works pretty well, I'm actually not seeing any results for monitoring.incidents.get! This is the first permission I've personally come across that was not included in this table -- this feels like a documentation bug to me. Maybe this is also what was giving you grief in the Policy Troubleshooter.
An alternative to the permissions reference page is to check the "Access control with IAM" documentation for the specific product you're working with. This page will typically list the pre-defined roles that apply to the given product (and the scopes to which those permissions apply).
In my experience, most Google Cloud products are pretty good about providing this IAM documentation & generally searching for <product> IAM GCP should find the correct page.
For example, the "Access control with IAM" page for Monitoring can be found at: https://cloud.google.com/monitoring/access-control
Again though: I'm not seeing any references to the monitoring.incidents.get permission. All I can find (at the time of this writing) is an Incidents section that suggests incidents access control is managed with the basic monitoring.viewer, monitoring.editor, and monitoring.admin roles.
These roles have worked for me in the past to grant the monitoring.incidents.update permission required to close an incident. If these roles would be too broad for your use-case, you can instead create a custom role.
- How to make the server backend of a mobile app?
- How to use GCP Backend Bucket with regional subnet using terraform
- 403 iam.serviceAccounts.actAs permission error trying to attach a service account to a resource in another project
- Cloud Run: mounting volume timed out: The NFS server may not be reachable or may not exist
- Migration from Container Registry to Artifact Registry for App Engine Standard Deployments
- Google Cloud: Access to image has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Im creating a VM using terraform code in GCP. I would like to inject a script that runs when the vm is created upon startup
- QUOTA_EXCEEDED : Exceeded daily quota for email sign-in in spite of using my SMTP settings
- How do I add share drive access to a google service account
- google.cloud namespace import error in __init__.py
- difference between docker BRIDGE and HOST driver?
- How can I connect an externally hosted MySQL database to BigQuery?
- Issue when trying to register an app for consent screen in google oauth
- Google Cloud Platform Trace from Cloud Function Invocation to Cloud Run HttpRequest
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Firebase Firestore timestamp not allowed inside array
- Why am I not able to get the env var values from google secret manager?
- changing image repository from Container Registry to Artifact Registry
- ALS (Alternating Least Square) algorithm in multiple rankings for a user
- Unable to connect to Gemini / Vertex AI
- How can I get Firebase Authentication ID tokens to work with Google Cloud Identity Platform so they get validated?
- How to identify the storage space left in a persistent volume claim?
- Cloud Run container stops processing when running parallel FastAPI background tasks
- GCP Cloud Storage - Golang aws sdk2 - Upload file with s3 INTEROPERABILITY Creds
- Creating folders using GCP PHP Client Libraries
- GKE Fluent bit partial logs
- Data loading and transformation from gcs to bigquery
- How to forcefully stop an operation on GKE cluster and thereby delete GKE cluster?
- Apache Beam with Dataflow: flag 'ignore_unknown_columns' for WriteToBigQuery not working
- Google Speech to Text - Not Getting the transcription | SOLVED