Solved: Re: Missing Permissions and cannot create a custom...

tradosappstore · 02-28-2024 08:50 AM

Hi,

I am trying to allow a user in my project to have sufficient permissions to be able to build custom models for AutoML. I was able to give her the roles for AutoML Admin, API Keys Admin and Storage Admin, but she still gets this message:

Missing permissions: resourcemanager.projects.get serviceusage.services.get

I cannot see how to add these roles so I tried creating a custom role with all the prequisite permissions. In doing this I could not use the Google console at all as the Add button is always greyed. But I could add these two missing ones in a custom role using the shell commands. However, I now can't add any of the AutoML stuff as this seems to create even more error messages and tells me this is just in testing.

I also can't add the custom role I created as it's only available to me under the Roles menu, but not as a role I can select against a principal.

I am sure I must be doing something really wrong here, or don't see why I don't have adequate permissions myself (I am the Owner). Can anyone offer some advice here?

Thanks

Paul.

nlarry

Please note that once you added the role, it may take a few mins for it to take effect.

It is normal to be overwhelmed with so many permissions at the start. After some time, you will get use to it and be able to find the correct role quickly. It is very rare that you have to create a custom role.

For all the predefined role, you can check them here

https://cloud.google.com/iam/docs/understanding-roles

View solution in original post

nlarry

This question should not be under AI/ML forum.

Anyway, looks like your assigning your IAM role wrongly. AutoML Admin should have the permission resourcemanager.projects.get included.

Could you share the screenshot of the user with the role assigned?

tradosappstore

Apologies for that. Which forum should I have used? Interestingly we have the same issue in the community we run for our own products and we built an AI solution that suggests to the poster where they probably should be posting based on their title and post content. Saves a lot of administrative tidying.

On the issue...

nlarry

Can you get the payload for the error from Cloud Logging? It should give more information on why the permission is missing.

tradosappstore

The missing ones seem to now be available. I'm not sure what triggerred this... maybe this is helpful as it seems coincidental that these three are separate in this way:

We're still finding the odd permission missing as we go and are trying to find them as we go. What would be helpful is if there is a resource somewhere that can tell you which role you need to add to be able to include specific permissions. In te console you can only add a role and you cannot search for a specific permission... unless I'm also doing something wrong there. And there are so many it seems a very complicated process and difficult to find what you need. For example, now we seem to be short of these:

What is the correct process for adding these to a user so they can achieve their goal?

nlarry

Please note that once you added the role, it may take a few mins for it to take effect.

It is normal to be overwhelmed with so many permissions at the start. After some time, you will get use to it and be able to find the correct role quickly. It is very rare that you have to create a custom role.

For all the predefined role, you can check them here

https://cloud.google.com/iam/docs/understanding-roles

tradosappstore

Thanks @nlarry

That link was helpful and I think I have what we need within these roles:

The difficult part for me, at the moment, is knowing which of the many roles that contain a missing permission I should be using. I would love to know how to see exactly which specific permissions would be needed for a user performing a specific task in my project. Then I think the idea of a custom role would be useful because I could then create the roles I needed for each task and only give the access I needed to, and only have to select one role each time.

But thank you for your help.

nlarry

Each of the product documentation should have one section about IAM. For example the below is for Vertex AI

https://cloud.google.com/vertex-ai/docs/general/access-control

It is common that the same permission appear in different role and assigning a role base on permission could cause "over-authorization". So in general, we will use the term 'Admin', 'User', 'Developer' in the Role name to decide. And that should apply the 'least privileges' principle too.

For example, if the person missing the permission to read Google Cloud Storage. This permission appears in many roles. But we know that this person is working with Vertex AI not Dataflow, we will give them the role 'Vertex AI User', not 'Dataflow User'.

tradosappstore

Yes... this is the approach I have tried to take but it doesn't feel optimal. But anyway... thanks for your help. All good now.

Missing Permissions and cannot create a custom role