gcloud cli shows less grantable roles than gcp console, for bigtable instance

0
votes

I'm trying to programmatically assign roles to a member, for a bigtable instance. I use the list-grantable-roles call on the gcloud cli to see what roles I can assing. It only returns below three roles, whereas the gcp console show me more roles than those three. What's is the reason for this?

Below is gcloud list-grantable-roles response

description: AutoML service agent can act as Cloud Storage admin and export BigQuery
  tables, which can be backed by Cloud Storage and Cloud Bigtable.
name: roles/automl.serviceAgent
title: AutoML Service Agent

description: Gives Cloud Data Fusion service account access to Service Networking,
  Cloud Dataproc, Cloud Storage, BigQuery, Cloud Spanner, and Cloud Bigtable resources.
name: roles/datafusion.serviceAgent
title: Cloud Data Fusion API Service Agent

description: Security reviewer role, with permissions to get any IAM policy.
name: roles/iam.securityReviewer
title: Security Reviewer

And here are the screenshots from the gcp console for a bigtable instance

picture 1

Picture 2

Picture 3

Picture 4

Edit

Here I show the gcloud commands I use. It is also interesting the list-grantable-roles command doesn't accept result from --uri call but when I remove the v2 and change bigtableadmin to bigadmin, it works.

Terminal

1
google-cloud-platformgcloudgoogle-cloud-bigtablebigtablegoogle-cloud-iam
I don't know. I checked the request of the CLI and the UI, the result are the same. It's maybe harcoded. Don't know.... - guillaume blaquiere
Could you provide the full command used to check the grantable roles? - Happy-Monad
I edited my question to add that command @Happy-Monad - Hakan Karaduman
Thanks for your time @guillaumeblaquiere - Hakan Karaduman
What happens when you add --page-size=100 and --format=json to your command? - Nebulastic

1 Answers

1
votes

You don't provide the specific command that you're running but I suspect you may need to reference a Bigtable instance (or perhaps just a Project that has the Bigtable service enabled) to see the full enumeration of Bigtable-specific roles.

Regardless, if you know the role either from looking it up in the console or use the roles documentation (link), you should be able to specify this in the command in which you grant the permission to an identity, i.e.

gcloud projects add-iam-policy-binding ${PROJECT} \
--member=.... \
--role=roles/bigtable.admin

201209 Update

Can you please confirm the role of your default (current) account?

You should be able to:

CURRENT=$(gcloud config get-value account)

gcloud projects get-iam-policy ${PROJECT} \
--flatten="bindings[].members[]" \
--filter="bindings.members=user:${CURRENT}" \
--format="value(bindings.role)"

I created a service account with Editor permissions and it is able to enumerate all the roles.

PROJECT=[[YOUR-PROJECT]]
ACCOUNT=[[YOUR-ACCOUNT]] # Perhaps `bigtable-tester`

EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"

# Create test service account, key and assign it project/viewer

gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}

gcloud iam service-accounts keys create ./${ACCOUNT}.json \
--iam-account=${EMAIL} \
--project=${PROJECT}

gcloud projects add-iam-policy-binding ${PROJECT} \
--role=roles/editor \
--member=serviceAccount:${EMAIL}

# Authenticate as the service account

# Retain current account
CURRENT=$(gcloud config get-value account)

# Activate service account (this changes the default account)
gcloud auth activate-service-account ${EMAIL} \
--key-file=./${ACCOUNT}.json

# Revert to your original account
gcloud config set account/${CURRENT}

# Try the list using the service account
BIGTABLE="//bigtable.googleapis.com"
INSTANCE="testinstance" # Or whatever
RESOURCE="${BIGTABLE}/projects/${PROJECT}/instances/${INSTANCE}"

gcloud iam list-grantable-roles ${RESOURCE} \
--account=${EMAIL} \
--project=${PROJECT} \
--format="value(name)"

For me this returns:

roles/automl.serviceAgent
roles/bigtable.admin
roles/bigtable.reader
roles/bigtable.user
roles/bigtable.viewer
roles/datafusion.serviceAgent
roles/iam.securityAdmin
roles/iam.securityReviewer

And using the API Client Library for Node.JS:

const {google} = require("googleapis");

const iam = google.iam({
  "version": "v1",
});

const BIGTABLE = "bigtable.googleapis.com";
const PROJECT= process.env.PROJECT;
const INSTANCE= process.env.INSTANCE;
const RESOURCE = `//${BIGTABLE}/projects/${PROJECT}/instances/${INSTANCE}`;

async function main() {
  const auth = new google.auth.GoogleAuth({
    scopes: ["https://www.googleapis.com/auth/cloud-platform"]
  });
  const authClient = await auth.getClient();

  console.log(`Requesting: ${RESOURCE}`);
  const rqst = {
    fullResourceName: RESOURCE,
    auth: authClient
  };
  const resp = await iam.roles.queryGrantableRoles(rqst);
  const data = resp.data;

  data.roles.forEach(role => {console.log(role.name);});
  
}
main().catch(console.error);

See the APIs Explorer test and code samples:

https://cloud.google.com/iam/docs/reference/rest/v1/roles/queryGrantableRoles