This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to accurately determine which Services/API need to be enabled given a list of permissions?

Posted on 12-03-2021 10:48 AM
sherif-fanous
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Given a Service Account that is assigned a Custom Role with a large number of permissions (All of them are readonly, so it's basically a subset of the Viewer Role)

How would I go about determining all the Services/APIs that need to be enabled from the permissions granted to ensure that the permissions can actually be used?

I tried using the services.get method from the ServiceUsage API and that method does return a list of APIs it supports for some Services while for others that list is not available. Moreover I'm unable to accurately map the APIs supported to the permissions.

Any ideas would be greatly appreciated.

 

0 3 496
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
rohit
Staff
Reply posted on --/--/---- --:-- AM

"Method: services.list" [1] can lists all services available to the specified project, and the current state of those services with respect to the project.  The list includes all public services, all services for which the calling user has the servicemanagement.services.bind permission, and all services that have already been enabled on the project.

 

[1] https://cloud.google.com/service-usage/docs/reference/rest/v1/services/list

0 Likes

Posted on --/--/---- --:-- AM
sherif-fanous
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks for your reply but unfortunately it does not address my question at all.

Let me provide an extremely simplified example

I create a Custom Role with the following 3 permissions

 

compute.instances.get
redis.instances.get
storage.buckets.get

 

 I then create a Service Account and grant the Service Account the aforementioned Custom Role.

The next step is to validate that the services corresponding to these permissions are also enabled in the project or enable them if they are not.

Now in this case this is easy to do manually and I conclude that I need to ensure the following 3 services are enabled

 

compute.googleapis.com
redis.googleapis.com
storage.googleapis.com

 

Now imagine if that Custom Role had hundreds of permissions instead of just 3. How would you go about ensuring that all required services are enabled?

0 Likes

Posted on --/--/---- --:-- AM
rohit
Staff
Reply posted on --/--/---- --:-- AM

I checked public documentation and internal documentation; There is no way to see 1:1 what API are enabled that the Service Account has access to. If you would like we can open a feature request [1]. However, there is no ETA on when and if the feature will be implemented. For now, you would have to cross reference all APIs that are enabled or not. Additionally, if you have a list of APIs you want to enable in batch, you can use "Method: services.batchEnable" [2].

 

[1] https://issuetracker.google.com/

[2] https://cloud.google.com/service-usage/docs/reference/rest/v1/services/batchEnable

0 Likes
Top Solution Authors
View all