I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
Related
I found sample code from Microsoft docs but it doesn't seem to work.
If anyone has any insight that would be helpful.
Also the broad question is if that is even possible.
As the NodeJS uses Tedious library, it's not clear if Tedious is able to support AAD connection.
Sample code was taken from: https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
It has the code sample with type: azure-active-directory-msi-app-service which I think should work.
The error I am getting is 'Security token could not be authenticated or authorized.'
The managed-identity user is added to the resources, with permissions
The code was working after adding a 'reader' role for principle user in sql server.
The steps that are required to connect SQL Server through AAD - Managed identity for NodeJS project are as below:
Create sql-server with sql-server database in an azure resource.
Create an azure-web app within the same azure resource.
Create a principle user in the web app.
This can be done by going to the azure web app > Settings > Identity menu > System-assigned tab and turning on the toggle.
In the sql-db create the user with the same name as principle user that was created in step 3. The name is same as web-app.
Also assign db_reader, db_writer, and ddladmin roles to the user.
You may use the below script to create and assign role to the user. (One thing to consider if it fails to create the user, you might need to rename the app-service name as in my case it was not allowing me to create the User saying it already exists).
**CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<identity-name>];**
Add the reader role to the principle user in the sql server. (The one that I was missing).
This can be done by going to the Sql server resource(in Azure)> Access control (IAM)
Select Reader and select member/user (principle user with the app name), and assign the role reader to that user/member.
After all these configuration part is done, use the code from microsoft docs. For me lower node version was not working so needed to upgrade the node version.(14 in my case).
https://learn.microsoft.com/en-us/azure/azure-sql/database/connect-query-nodejs?tabs=windows
Also the connection was successful only in the deployed version.
Hope this is helpful !! :)
I'm trying to have my server automatically create android in app payment products.
I'm currently using the googleapis npm package and a service account. The service account has the View financial data, Manage orders and subscriptions, and View app information (read-only) permissions. The service account can validate receipts perfectly fine, but upon trying to create a product using google.androidpublisher("v3").inappproducts.insert() it returns Error: The caller does not have permission
As far as I can tell the caller is the service account that has been given the permissions to do payment stuff. My one other option is to just give the account every possible permission and wait the day or so it takes for the permissions to propagate. In the meantime is there anything else I can do to give the service worker the needed permissions in order to be able to create in app products?
I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access.
Error: Service_InternalServerError. as shown in below image.
Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?
Any help or suggestions will be highly appreciated !
Thanks
Assign the Cloud Application Administrator directory role to the affected user and try again.
the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions.
you need
"Microsoft.Authorization/roleAssignments/"
and maybe
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleDefinitions/"
However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.
I'm a dev. I have
WEBSITE CONTRIBUTOR
Role on my azure function that our infrastructure team created. I can't see any functions listed in my function app in the portal and this ajax request fails when I try to expand the functions list in the side nav in the azure portal:
Request URL:
https://management.azure.com/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb?api-version=2016-09-01
Request Method:
GET
Status Code:
403
The response body on this request contains this:
{"error":{"code":"AuthorizationFailed","message":"The client '{{my-organizational-username-here}}' with object id '{{my-organizationao-user-id-here}}' does not have authorization to perform action 'Microsoft.Web/hostingEnvironments/read' over scope '/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb'."}}
So what privledges do i need on my function app to be able to do things like see the functions, enable disable individual functions, and generate api keys for a function?
Here is the screen show of what I'm getting:
When I deploy the same code to an azure function on my personal account (which I'm an administrator for) I see this:
I'm sure I wont get administrator role in my organizations subscription, so what is the minimal set of privileges I can have so i can see my functions and perform basic configuration on them?
As a reader level permission, you are restricted to check inside a related function implementation in function app. However, you can go to Platform Features tab and navigate to All Settings to check out all setting related to Function App (similar to web app), though as expected reader permission limits you to modify any setting.
For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. The portal will display (No access).
You can make a custom role for your use case.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
Website Contributor means you can "manage websites(not web plans), but not access them". Reader role gives you the right to read everything, but you cannot contribute. These roles are Built-in roles for Azure resources. You can find all of the Azure built-in RBAC in Microsoft docs https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your organization administrator can create a custom role for you if it's needed to be a Website Contributor and reader at the same time.
PermissionDenied: 403 IAM permission 'dialogflow.sessions.detectIntent' on 'projects/XXXX-live/agent' denied.
I have used the DialogFlow client as a role while creating the service.
What could be the problem?
When I was playing around with permissions with service accounts, I also encountered the same problem. I created a completely new service account and then gave it the client role, and it worked for some unknown reason.
I would suggest trying to create another account and then giving it the client role and seeing if it works for that account.
Also, this isn't necessarily a kosher fix per say, but if you give the account the admin role, then your problem will also be solved.
Edit: At first I thought it might have to do with how the service accounts were created (cloud console vs. command-line), but it seems that's not the case. For some reason it's just the first service account that you create that a client role doesn't work for.
I faced the same issue while integrating Dialogflow with external client.
The root cause for my case was that even though I created the service account for my external client, I forgot to add the service account and give "Dialogflow API Admin' Role.
How I resolve: In GCP project, go to IAM > click the top "+ADD" button and search for the service account that you want to grant permission access, choose role type "Dialogflow API Admin"
I solved my error by doing this
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(
'C:\\Users\\ashis\\Downloads\\id.json')
def create_intent(project_id, display_name, training_phrases_parts,
message_texts):
"""Create an intent of the given intent type."""
intents_client = dialogflow.IntentsClient(credentials=credentials)
# session_client = dialogflow.SessionsClient(credentials=credentials)
Then I went to the IAM settings for my project
https://console.cloud.google.com/iam-admin/iam?project=
and gave the dialogflow service account members a higher role(like project owner).
You have to give permission to the mega agent.