Deploy ESP Configuration with Service Account
695 views
Skip to first unread message
kordia...@egym.de
Jul 25, 2018, 8:00:50 AM7/25/18
to Google Cloud Endpoints
Our current setup includes multiple environments for dev, staging and production. Each of those Environments runs its own ESP and gets deployed via our CI/CD pipeline to kubernetes.
We currently have the following permissions assigned to the service account:
We also want to deploy the ESp / Endpoint configuration in that pipeline but are struggling with setting the correct permissions for the service account, in order for it to be able to write
new proto files to the ESP.
The error message reads:
ERROR: (gcloud.endpoints.services.deploy) User [<service-account>] does not have permission to access service [<api-name>-testing.endpoints.<project>.cloud.goog] (or it may not exist): Caller does not have permission 'servicemanagement.services.update' on service '<api-name>-testing.endpoints.<project>.cloud.goog'.
We currently have the following permissions assigned to the service account:
- Kubernetes Engine Developer
- Endpoints Portal Admin (Is this needed? It was just a test)
- Project Viewer (Ideally this would not be required)
Any ideas what the correct role/permission is, so that the service account is able to deploy the updated proxy configuration?
Andrew Gunsch
Jul 25, 2018, 11:51:29 AM7/25/18
to kordia...@egym.de, google-clou...@googlegroups.com
Thanks for writing!
For looking at which roles map to specific permissions, you can check the Roles page in the Cloud Console. I believe "Service Config Editor" is the narrowest existing role that includes servicemanagement.services.update, but you can also create a custom role from that UI (see "Create Role" near the top) with only that permission if you want even narrower.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/10ce1219-f3cc-4bdc-a801-3caeb2263ed1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dimaf
Jul 25, 2018, 12:03:54 PM7/25/18
to Google Cloud Endpoints
What is about servicemanagement.admin role?
среда, 25 июля 2018 г., 8:00:50 UTC-4 пользователь kordia...@egym.de написал:
gcloud config set project PROJECT_ID
gcloud config set compute/zone ZONE
PROJECT_NUMBER=`gcloud projects describe $(gcloud config get-value core/project) --format=value\(projectNumber\)`
gcloud projects add-iam-policy-binding \
$(gcloud config get-value core/project) \
--member serviceAccount:$PROJECT...@cloudbuild.gserviceaccount.com \
--role roles/servicemanagement.admin
среда, 25 июля 2018 г., 8:00:50 UTC-4 пользователь kordia...@egym.de написал:
Wesley Wong
Jul 25, 2018, 12:52:02 PM7/25/18
to dimaf, Google Cloud Endpoints
servicemanagement.admin role will work as well as it contains servicemanagement.services.update permission. However, it also contains many more permissions that you may not want to give. It is an admin role, which means it can also give or revoke permissions to others.
If you are only interested in giving permissions to update the service config, then the 'Service Config Editor' role (roles/servicemanagement.configEditor) as mentioned previously is the correct one to give.
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/42d00ad2-dc8c-41d5-8265-733b578ced3a%40googlegroups.com.
kordia...@egym.de
Jul 30, 2018, 4:17:57 AM7/30/18
to Google Cloud Endpoints
Thanks very much for this precise answer - that was exactly what I was looking for.
I must admit, making the jump from ESP to Servicemanagement wasn't obvious to me.
Cheers!
Andrew Gunsch
Jul 30, 2018, 1:49:45 PM7/30/18
to kordia...@egym.de, google-clou...@googlegroups.com
Thanks for that feedback!
Did you by chance come across the Overview of API Access page while researching this? This describes the different roles for Endpoints and how they relate to some of these tasks.
- Andrew
--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/0b09c917-dc1d-4acf-8f92-99a1b1ec0946%40googlegroups.com.
kordia...@egym.de
Aug 1, 2018, 4:10:04 AM8/1/18
to Google Cloud Endpoints
Ah, there we go - no I missed that page and it seems to explain everything in detail.
Thanks for pointing me in the right direction. No clue, how I did not find that page - shame on me.
Cheers
Reply all
Reply to author
Forward
0 new messages