Re: Starting a docker container in Cloud Run.

aroutley · 05-20-2024 11:54 AM

Good morning.

I uploaded a very simple docker container (NGINX web server) to Cloud Run and when I started it I get the following:

The service has been created, however, it may not be publicly accessible. Setting IAM policy failed for the resource (URL Removed by Staff). The role "roles/run.invoker" failed to be assigned to the next principals: allUsers. Details: One or more users named in the policy do not belong to a permitted customer, perhaps due to an organization policy.

When I attempted to assign the role "roles/run.invoker" to allUsers to correct the above, I got the following:-

IAM policy update failed
The 'Domain Restricted Sharing' organization policy (constraints/iam.allowedPolicyMemberDomains) is enforced. Only principals in allowed domains can be added as principals in the policy. Correct the principal emails and try again. Learn more about domain restricted sharing.

When I attempt to correct the above problem, I was blocked in the GUI with the following:-

Required permission(s):
orgpolicy.policies.create, orgpolicy.policies.delete, orgpolicy.policies.update, and orgpolicy.policy.get

GRRRR!!!! This convoluted relationship between roles/permissions/users/access in GC is confusing to say the least.

Would someone please be so kind as to show me how to fix each problem above (in reverse order) so that I can run my container? Please include step-by-step detailed instructions so I can jump over this mess in one sitting.

If you need to issue gcloud CLI commands, here are the details:-

Project name my container
Project number (PII Removed by Staff)
Project ID my-container-(PII Removed by Staff)

Thanks!

DamianS

Hello @aroutley ,Welcome on Google Cloud Community.

1. You are not able to assign allUsers principal to Cloud Run because of Organization Policy, called constraint.
2. Due to that you should change this Org policy to either make an exception ( based on tag) for your project or disable this Policy, BUT you are not able to do that, BECAUSE you don't have proper permissions to do that ( Organization Policy Admin).
3. What you could do is either not assign allUsers to Cloud Run OR ask your Orgnization Policy Admin to make an exception based on project tag , and allows you to assign this principal to your Cloud Run.

PS: This approach is according to least privilege ( you are getting only those permissions to be able to do your tasks, nothing more) and SoD ( separation of duties, which says that you should not mix Org Admin role with Org Admin Policy role and so on to reduce hijacking the account and thus care about security part of your organization)

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

aroutley

Hello many thanks for your advice -- I really do appreciate it.

Privileges and roles in Google cloud are so convoluted that you need a master's degree to understand the problem and a PhD to fix it.

I am wondering if you could please be so kind as to give me step by step instructions on how to implement your recommendation? My only objective is to run the container that I have already uploaded so I am quite happy to delete /change /remove anything you suggest....

many thanks...

DamianS

Yeah, IAM and policies can be wild 😄 If this is a prio to run this service available for all users, you must go with mu second idea, means tags and organization policy change
Grab this fantastic article[1] where there is a tons of information about your case ( literally there is Cloud Run and this magic restriction).
Important: If you don't have such permissions, you must ask your Organization Admin ( aka person who is managing your Google Cloud organization) to handle this change.

[1]. https://cloud.google.com/blog/topics/developers-practitioners/how-create-public-cloud-run-services-w...

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

aroutley

hi @DamianS would you possibly have time to read my latest post and perhaps guide me through this mess with step-by-step instructions? it seems every attempt i make to solve problem A uncovers problem B, C etc.

i see where i should add allusers, but a premissions problem prevents me from adding it...

DamianS

Hello @aroutley

Yes. I saw it, however I was AFK during weekend.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

MeteoTech

Hello, I am in the same situation, I opened a new account in Google Next last month for a new startup, the first thing I wanted to deploy was my MVP in a simple cloudrun and happened this same when deploying:

Setting IAM policy The service has been created, however, it may not be publicly accessible. Setting IAM policy failed for the resource "projects/....". The role "roles/run.invoker" failed to be assigned to the next principals: allUsers. Details: One or more users named in the policy do not belong to a permitted customer, perhaps due to an organization policy.

I am using the admin account and is the only user, but have not being able to fix, the link provided also got me confused, I was able to run my container in my personal Gmail GC account but I need on the domain of the company to apply the credits and to use that in the future in production, could you make this worked ?

thanks for any help.

aroutley

hello

no i am afraid that i am stuck just like you are. i received vague
feedback describing the problem + URLs, but nobody is able to give any
practical solution on fixing the problem. what does that say to this
product if one cant even start a container without drama?

if you fix this, please give me detailed step-by-step instructions on how
you did it, not just a list of blogs. i am currently blocked.

thx!

andrew.

aroutley

hello again

i creeped forward on the problem another 2 inches this weekend.

it seems like we need to assign AllUsers to the container, as described in this video starting at minute 16:50:-

https://www.youtube.com/watch?v=CxzaOHTwqEI

and here is where (i presume) this is done:-

http://www.andrewroutley.net/internet/cloudrun/cloudrun-01.jpg

however when i try, i get:-

http://www.andrewroutley.net/internet/cloudrun/cloudrun-02.jpg

i read this blog about how to fix this:-

https://stackoverflow.com/questions/78125092/gcp-iam-policy-update-failed-allow-unauthenticated-invo...

inside the blogger states:-

"Steps that solved my problem :

Go to : I AM & Admin > Organization policies > "Domain restricted sharing"

Applies to : Customize (unchanged) Policy enforcement : replace (unchanged) Rules : add a rule > Policy values : Allow All"

so when i attempt to do it myself, the "manage policy" button is greyed out, and i cant change anything:

http://www.andrewroutley.net/internet/cloudrun/cloudrun-03.jpg

LONG STORY SHORT: i think i know how to add allusers so i can run my container, but i have bumped into the above problems. i wont spend another 30 minutes in a rant about how convoluded this product is, because that is obvious to all, but i wish someone in googlecloud tech support would spend 5 consecutive minutes supporting me on this, if for no other reason that to unblock a very frustrated user, who is no doubt speaking on behalf of another 1M other users.

how have you faired on this?

DamianS

@aroutley
The first question :

1. Do you have Organization Policy Admin assigned AT Organization level? If yes, skip step A, if no, follow this guide :

STEP A : To assign the Organization Policy Admin role in Google Cloud, you need to follow these steps:

Open Google Cloud Console:
- Navigate to the Google Cloud Console.
Go to IAM & Admin:
- In the left-hand navigation pane, click on IAM & Admin.
- Then, select IAM.
Select the Organization:
- If you have multiple organizations, ensure you select the appropriate organization from the organization selector drop-down at the top of the page.
Add a Member:
- Click on the Add button at the top of the IAM page.
Enter Member Information:
- In the New members field, enter the email address of the user or service account you want to assign the role to.
Assign Role:
- Click on the Select a role drop-down menu.
- Under Resource Manager, select Organization Policy Administrator.
Save Changes:
- Click Save to assign the role to the selected member.

STEP B: If you have Organization Policy Admin assigned, follow those steps to remove Organization Policy Constraint

To enable service account key creation at the organization level in Google Cloud, you need to configure an organization policy to allow the creation of service account keys. Here’s how you can do this:

Prerequisites:

You must have the required permissions to set organization policies. Typically, you need to have the Organization Policy Administrator role or equivalent permissions.

Steps:

Open Google Cloud Console:
- Navigate to the Google Cloud Console.
Go to the Organization Policies Page:
- In the left-hand navigation pane, click on IAM & Admin.
- Then, select Organization Policies.
Select the Policy to Edit:
- In the Organization Policies page, you will see a list of policies that can be configured.
- Search for the policy named Service Account Key Creation or iam.disableServiceAccountKeyCreation.
Edit the Policy:
- Click on the policy to open its details.
- Click Edit at the top of the policy details page.
Update the Policy:
- Set the Policy Type to Customize.
- In the Rules section, you will have options to Allow or Deny service account key creation.
- To enable service account key creation, add a rule to Allow.
Save Changes:
- Click Save to apply the changes.

3. However, the best idea would be to assign a project TAG and then edit constraint to allow allUsers only for project with specific tags

How to assign a TAG: https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing#creating_tag
How to assign policy with tag-based

condition: https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy

Regarding this topic ( service key creation disabled) we had around 10th similar topics:

e.g https://www.googlecloudcommunity.com/gc/Cloud-Hub/Service-account-key-creation-is-disabled/m-p/72902...

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

aroutley

hi again @DamianS

many thanks for taking the time to respond. i really do appreciate it.

unfortunately i did not get too much further. see below for responses inline:-

The first question :

1. Do you have Organization Policy Admin assigned AT Organization level? If yes, skip step A, if no, follow this guide

ANDREW> i **think** i have it correctly assigned, based on this:-

http://www.andrewroutley.net/internet/cloudrun/orgpolicy-01.jpg

(please correct if this looks fishy or requires additional changes)

STEP B: If you have Organization Policy Admin assigned, follow those steps to remove Organization Policy Constraint

In the Organization Policies page, you will see a list of policies that can be configured. Search for the policy named Service Account Key Creation or iam.disableServiceAccountKeyCreation.

ANDREW> i have no policy entitled "Service Account Key Creation" in the dropdown box:

http://www.andrewroutley.net/internet/cloudrun/servicekey-01.jpg
http://www.andrewroutley.net/internet/cloudrun/servicekey-02.jpg
http://www.andrewroutley.net/internet/cloudrun/servicekey-03.jpg

ANDREW> i am able to locate iam.disableServiceAccountKeyCreation, but the "manage policy" icon is grayed-out and i am not able to edit it:-

http://www.andrewroutley.net/internet/cloudrun/iamdisableservice.jpg

http://www.andrewroutley.net/internet/cloudrun/disable-servicekey-01.jpg

3. However, the best idea would be to assign a project TAG and then edit constraint to allow allUsers only for project with specific tags

How to assign a TAG: https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing#creating_tag
How to assign policy with tag-based

condition: https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy

ANDREW> i have created a tag called "allUsersIngress" and set its value to "true":-

http://www.andrewroutley.net/internet/cloudrun/tag-allusers.jpg

i have read the docs you sent me, but its not clear to me what the next step is. can you perhaps send me a screenshot from your console on how you applied this value please?

again, many thanks for the help...

andrew.

DamianS

Hi @aroutley

@aroutley wrote:

ANDREW> i **think** i have it correctly assigned, based on this:-

http://www.andrewroutley.net/internet/cloudrun/orgpolicy-01.jpg

Nope, this role is Organization Admin. You MUST have assigned second role Organization Policy Admin.

@aroutley wrote:

i have read the docs you sent me, but its not clear to me what the next step is. can you perhaps send me a screenshot from your console on how you applied this value please?

1. Go to your console.
2. Search for Manage Resources

3. Choose project, where you want to apply this tag and click "TAGS"

4. Click "ADD TAG" and choose key and value

5. Confirm if you get popup window.
6. Your project should looks as follow. You will see more fields (I've removed them from View)

7. Then go to IAM -> Organization Policies -> Search for "Disable service account key creation" -> Manage policy -> Override parent's policy.
8. And now ADD RULE -> Enforcement ON -> Done (Do not add condition here)

9. Add second rule. ADD A RULE -> Enforcement Off -> Add Condition -> Name as you want this rule -> Set:
Condition type: Tag
Operator: Has Value
Value path: YOUR_ORGANIZATION/allow_sa_keys/true
Value path example: damian.example.com/allow_sa_key/true
10. Set policy

IMPORTANT: TAG must be added AT ORGANIZATION RESOURCE LEVEL, not Project

IMPORTANT2: Organization Policy Admin MUST BE added AT Organization level, not project.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

aroutley

hey @DamianS thanks for the screen-shots and instructions. this makes it easier. results below....

4. Click "ADD TAG" and choose key and value

ANDREW> done...

http://www.andrewroutley.net/internet/cloudrun/tag1.jpg

7. Then go to IAM -> Organization Policies -> Search for "Disable service account key creation" -> Manage policy -> Override parent's policy.
8. And now ADD RULE -> Enforcement ON -> Done (Do not add condition here)

ANDREW> unfortunately i cannot change the policy, as my "manage policy" button is greyed out:

http://www.andrewroutley.net/internet/cloudrun/accountkeycreation.jpg

i seem to lack permissions, or have i just mis-read your instructions? this is not a corporate account and I am the only user....weird....

i am 1 inch away. any work-arounds here?

DamianS

@aroutley
Once again, YOU NEED ORGANIZATION POLICY ADMIN permissions.

1. Go to IAM at the organization level, add your principal ( your email used for login to google cloud), search for Organization Policy Admin.

@DamianS wrote:

IMPORTANT2: Organization Policy Admin MUST BE added AT Organization level, not project.

aroutley

hello @DamianS

many thanks again for the feedback, and my apologies for not implementing what you already highlighted in your previous post. the brave new world as of today:-

http://www.andrewroutley.net/internet/cloudrun/permissions.jpg

i cleaned up everything and ran through your steps for both approaches:

APPROACH "A" (remove the Organization Policy Constraint )

APPROACH "B" (assign a project TAG and then edit constraint to allow allUsers only for project with specific tags)

APPROACH "A" results:

"Update the Policy:

Set the Policy Type to Customize."

ANDREW> there is no "Customize" option on my page, and the only thing i see is to enforce/not enforce the policy:-

http://www.andrewroutley.net/internet/cloudrun/policy1.jpg

"In the Rules section, you will have options to Allow or Deny service account key creation.
To enable service account key creation, add a rule to Allow."

ANDREW> adding a rule just gives me this screen:-

http://www.andrewroutley.net/internet/cloudrun/policy2.jpg

Scratching my head here wonding what i must have fat-fingered to not get what you see on your screen. do you see anything amiss?

APPROACH "B" results:

"IMPORTANT: TAG must be added AT ORGANIZATION RESOURCE LEVEL, not Project"

ANDREW> with the above in mind, i created a new tag at the organizational resource level:

http://www.andrewroutley.net/internet/cloudrun/tag-me.jpg

....which compares well with what you created:-

http://www.andrewroutley.net/internet/cloudrun/tag-damian.jpg

however, when i select the tag and assign a value to it, a small red alarm icon appears, and i cannot hit the save button to apply the changes:

http://www.andrewroutley.net/internet/cloudrun/applytag.jpg

this screen produces no error message or indication of whats wrong. do you see anything amiss that may prevent me from assigning this tag? did you have any similar such issue?

again...thank you @DamianS for you assistance....

DamianS

Hello @aroutley ,

No problem 🙂 Do no apologize me 😉
I've created the same TAg as you, with the same value and I've didn't get any red alarm icon.

You could try to use CLI to assign this TAG.
1. Top right corner

2. Execute command

gcloud resource-manager tags bindings create --tag-value=tagValues/281479706225462 --parent=//cloudresourcemanager.googleapis.com/projects/587381770811

Where:

TAGVALUE_NAME is the permanent ID or namespaced name of the tag value to be attached; for example: tagValues/4567890123 or 12345678/environment/production.
- RESOURCE_ID is the full ID of the resource, including the API domain name to identify the type of resource (//cloudresourcemanager.googleapis.com/). For example, to attach a tag to projects/7890123456, the full ID would be: //cloudresourcemanager.googleapis.com/projects/7890123456.
  
  --
  cheers,
  DamianS
  LinkedIn medium.com Cloudskillsboost

aroutley

Hello @DamianS thanks for the tip and the screenshots. i ran it in CLI mode and got this:-

ERROR: (gcloud.resource-manager.tags.bindings.create) PERMISSION_DENIED: The caller does not have permission. This command is authenticated as andrew@ardigital.net which is the active account specified by the [core/account] property
andrew@cloudshell:~ (my-container-423722)$

if i cant create a tag under the org level, then does it matter if i use CLI to do it? its probably just a permissions thing but i dont have the time to chase it down.

anyway, i dont want to bother you further on this. i have spent a month just trying to spin up 1 single solitary lousy NGINX container, and look at the mess! i will try to see if anyone in google technical support has any interest in helping, otherwise i think its fair to say this product is too convoluded. and no, thats not sour grapes.

again, thanks @DamianS for all your tips, advice feedback and screenshots i really appreciate it!

andrew

DamianS

If you can't do it via ORG LVL due to lack of permissions, CLI will not going to work either.

DamianS

Don't give up 😄 If you want to, would be good to provide logs from Logs Explorer. But if you have GC Premium Support, yep, use them 🙂

Product is easy to use itself, but it might be challenging when you have restriction applied at Organization Level.

Sad that I wasn't able to help. If support resolve your problems, please share solution with community.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

aroutley

"but it might be challenging when you have restriction applied at Organization Level"

Well if I do have these restriction it wasn't me who turned it on I can assure you of that! 😉 It looks like Google makes the cloud product so secure that it's unusable. 😉 I would be very interested to see a brand new user create an account and upload a simple container just to see if it's me or google.

anyway I just looked for where I can Lodge a technical question, and Google ACTUALLY WANTS MONEY just to get support!!!! this is surreal-- paying money to ask why their own product is unusable.

So anyway @DamianS I am going to back off for a while as I still have some time left on my 90day trial. Maybe I'll have a great idea in the shower sometime?

thanks again for your assistance

regards Andrew.