Permission denied on a GCP compute engine
191 views
Skip to first unread message
Gabriel Sillam
Dec 25, 2024, 5:31:31 AM12/25/24
to GAM for Google Workspace
Hi everyone.
Im trying to setup GAM on compute engine after successfully running it on GCP cloudshell for a while.
Im using the same service account that I used with cloudshell on the same project but for some reason, after following every instruction on https://github.com/taers232c/GAMADV-XTD3/wiki/Running-GAM7-securely-on-a-Google-Compute-Engine multiple times to check myself, for some reason when I run actions on behalf of users (the service account has domain wide delegation access ) or when I run gam user us...@domain.com update serviceaccount for any user on my domain I get
ERROR: 403: permissionDenied - Permission 'iam.serviceAccounts.signJwt' denied on resource (or it may not exist).
This is my oauth2service.json file :
{
"client_email": "THE EMAIL OF THE SERVICE ACCOUNT",
"client_id": "MY CLIENT ID",
"key_type": "signjwt",
"project_id": "MY PROJECT ID",
"token_uri": "https://oauth2.googleapis.com/token",
"type": "service_account",
"us_scopes": {
"alertcenter": [
],
"analytics": [
],
"analyticsadmin": [
],
"calendar": [
],
"chatmemberships": [
],
"chatmembershipsadmin": [
],
"chatmessages": [
],
"chatspaces": [
],
"chatspacesadmin": [
],
"chatspacesdelete": [
],
"chatspacesdeleteadmin": [
],
"classroom": [
],
"cloudidentitydevices": [
],
"datastudio": [
],
"docs": [
],
"drive2": [
],
"drive3": [
],
"driveactivity": [
],
"drivelabelsadmin": [
],
"drivelabelsuser": [
],
"drivetd": [
],
"forms": [
],
"gmail": [
],
"iam": [
],
"keep": [
],
"meet": [
],
"oauth2": [
],
"people": [
],
"peopledirectory": [
],
"peopleothercontacts": [
],
"sheets": [
],
"sheetstd": [
],
"sites": [
],
"tasks": [
],
"youtube": [
]
}
What am I doing wrong?
Let me know if there is anything else that I need to provide to help me diagnose this
Jay Lee
Dec 25, 2024, 5:35:42 AM12/25/24
to google-ap...@googlegroups.com
Try returning step 3 from:
The service account needs token creator permission on itself in order to actually call SignJwt.
Jay
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/9397148d-cdb2-4097-b5a6-b39c34bfab65n%40googlegroups.com.
Gabriel Sillam
Dec 25, 2024, 6:33:58 AM12/25/24
to GAM for Google Workspace
Thank you so much! it worked, cant believe I missed that.
Reply all
Reply to author
Forward
0 new messages