How can I restrict permission of a service account in Google Cloud Platform?
How can I restrict a service account to, for example, Places Autocomplete (Google Maps API)?
I find GCP permissions really confusing, and I wonder if it is even possible to configure them the way I want. To explain, I'll use AWS as an example. Let's say I want to grant a service account permission to read/get an object from S3.
In a simple scenario on AWS, I can create a new service account with no permissions, select the relevant service or API, and then check boxes representing the specific actions I want to allow. For example, I could choose the "Read" action. I can further restrict this permission by specifying conditions like a bucket name. This setup ensures the service account has the minimum necessary permissions.
Now, in GCP, I created an empty service account and wanted to give it access to the Google Maps Autocomplete API. To do this, I had to assign a role. right? After reviewing the list of existing roles, I found one called "Maps API Viewer," which sounded overly broad but somewhat relevant to what I needed (autocomplete for addresses). I assigned this role and tried the API, but it didn’t work. GCP informed me that I also needed to assign the roles/serviceusage.serviceUsageConsumer role. Once I assigned that role, the API started working. However, this role appears to grant too much access. In fact, I even removed the "Maps API Viewer" role from the service account, and the API request for autocomplete still worked.
Let's try to create a custom role. In the dialog box listing all possible permissions (presumably), I couldn’t find anything specifically related to Places or Maps Autocomplete. Instead, it suggested permissions for "marketplaces" or again, the "Maps Viewer API." This left me confused.
[
I would expect it to be possible to grant only the necessary read access to the Google Maps Autocomplete API and nothing else. Am I wrong in this expectation?
This is confusing.
Google has bifurcated its public (!) services into those controlled by IAM and non-IAM.
It's not always obvious but the IAM overview includes "Google Cloud's Identity and Access Management (IAM) system" and this is key. Google's Cloud (!) services use IAM and non-Cloud services do not.
Confusingly, all Google's services are, of course, cloud-based but, in this sense, "Cloud" means the former Cloud Platform and the subset of services covered described Google Cloud.
Maps falls into non-IAM.
Service Accounts are Google (not just Cloud) identities and so, like user accounts (e.g. Gmail), groups etc. can be used as identities across Google's services.
However, because Maps is not part of (Cloud) IAM, you cannot use IAM to restrict access to Maps' resources|methods.
Instead you must fall back to OAuth Scopes which apply to all Google's services but are less granular.
- Organisational Policy Permissions Google Cloud for Microsoft Migration
- How to access the Google Analytics Data API via bash script using gcloud
- how to paginate in drive.permissions.list using google-api-python-client
- Cloudbuild can't access Artifacts Registery when building cloud run docker container
- How can I restrict permission of a service account in Google Cloud Platform?
- How to list all the IAM roles that include a given permission in GCP
- Is there a way to export a BigQuery table's schema as JSON?
- How to list all enabled API services for Google Cloud Platform project
- gcloud SSH in same terminal window
- The method `run_in_transaction` of Spanner client library for Python returned a message "Transaction is not begun."
- Flask api on gcloud's URL keeps on loading
- How do I list the roles associated with a gcp service account?
- Google Cloud Run deployments failing after updating to .NET 9
- leave gcloud project in terminal
- Error migrating Google Cloud Container Registry to Artifact Registry: RESOURCE_EXHAUSTED
- How to remove warning in kubectl with gcp auth plugin?
- "Dataform encountered an error: Unexpected property "type", or property value type of "string" is incorrect." using @dataform/cli
- ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1]
- How to use gcloud run deploy to specify a particular Dockerfile?
- How to list the published container images in the Google Container Registry using gcloud or another CLI
- Can't access gcloud compute, DatabaseError
- Creating Dataproc Cluster with public-ip-address using DataprocCreateClusterOperator in Airflow
- Windows & Linux living together in Kubernetes cluster
- Generate GCP auth identity-token in JAVA
- Permissions error fetching application - Gcloud app deploy
- gcloud command output formatting with previous variables of the another gcloud command
- GCP - User ... does not have permission to access projects instance
- Is there float32 precision on Google TPU?
- Correct use of gcloud --sort-by combined with --limit
- problem passing arguments to `bq add-iam-policy-binding`