Permissions for creating OAuth credentials in Google Cloud

5
votes

Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.

It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error: You don't have permission to view API keys, OAuth clients, and service account keys.

Roles/Permissions: -App Engine Admin -Cloud Functions Developer -Cloud Datastore Owner -Service Account Admin -Source Repository Administrator -Storage Admin

1
google-app-enginepermissionsgoogle-cloud-platform

1 Answers

4
votes

So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.

I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:

"Custom API"

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • serviceusage.apiKeys.create
  • serviceusage.apiKeys.delete
  • serviceusage.apiKeys.get
  • serviceusage.apiKeys.getProjectForKey
  • serviceusage.apiKeys.list
  • serviceusage.apiKeys.regenerate
  • serviceusage.apiKeys.revert
  • serviceusage.apiKeys.update

"Custom Client Auth"

  • clientauthconfig.brands.create
  • clientauthconfig.brands.delete
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.createSecret
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.listWithSecrets
  • clientauthconfig.clients.undelete
  • clientauthconfig.clients.update

*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.