Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup service accounts programmatically #178

Closed
MarkEdmondson1234 opened this issue Apr 22, 2020 · 4 comments
Closed

Setup service accounts programmatically #178

MarkEdmondson1234 opened this issue Apr 22, 2020 · 4 comments

Comments

@MarkEdmondson1234
Copy link
Owner

It would be helpful for a user OAuth2 token to be able to setup service emails. That way for setups a user can login the "easy" way with high permissions, and those permissions can be used to create a service email with locked-down permissions.

https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest

To create a service account, at minimum the user must be granted the Service Account Admin role (roles/iam.serviceAccountAdmin) or the Editor primitive role (roles/editor).

POST https://iam.googleapis.com/v1/projects/[PROJECT-ID]/serviceAccounts
{
    "accountId": "[SA-NAME]",
    "serviceAccount": {
        "description": "[SA-DESCRIPTION]",
        "displayName": "[SA-DISPLAY-NAME]"
    }
}

https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource

The following POST request uses the projects.setIamPolicy() method to grant editor access to a service account my-sa-123 for the project my-project-123. The request body must contain the new policy that grants permissions to the service account. Each role can have multiple members.

POST https://cloudresourcemanager.googleapis.com/v1/projects/my-project-123:setIamPolicy

{
    "policy":
    {
        "version": 1,
        "etag": "BwUqMvZQGfo=",
        "bindings": [
        {
            "role": "roles/editor",
            "members": [
                "serviceAccount:[email protected]",
                "user:[email protected]"
            ]
        },
        {
            "role":"roles/owner",
            "members":
            [
                "user:[email protected]",
            ]
        },
        {
            "role":"roles/viewer",
            "members":
            [
                "user:[email protected]",
            ]
        },
        {
            "role":"roles/iam.serviceAccountUser",
            "members":
            [
                "user:[email protected]"
            ]
        },
        ]
    },
}
@MarkEdmondson1234
Copy link
Owner Author 

 library(googleAuthR)
 gar_set_client(scopes = "https://www.googleapis.com/auth/cloud-platform")
 gar_auth()
 gar_service_create("test12345678", "my-project")
 
 gar_service_grant_roles("[email protected]",
                         role = "roles/editor",
                         projectId = "my-project")
 
 gar_service_key("test12345678", "my-project", "my-auth.json")
 
 gar_service_key_list("test12345678", "my-project")

MarkEdmondson1234 added a commit that referenced this issue Apr 22, 2020
@MarkEdmondson1234
working service key provision #178
ebec3d1
@MarkEdmondson1234
Copy link
Owner Author

All wrapped up in gar_service_provision():

gar_service_provision("my-service-account", 
                      c("roles/viewer", "roles/bigquery.jobUser"))
# 2020-04-23 12:20:09> Writing secret auth JSON key to my-service-account-auth-key.json

@MarkEdmondson1234
Copy link
Owner Author

Don't use this yet in production, testing

MarkEdmondson1234 added a commit that referenced this issue Apr 26, 2020
@MarkEdmondson1234
document gar_service #178
89edb25
@MarkEdmondson1234
Copy link
Owner Author

Its ok now, in CRAN version 1.2.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MarkEdmondson1234