I created Composer Environment on GCP development environment with a service account that has the following permissions
Composer Administrator
Composer Worker
Kubernetes Engine Admin
Storage Object Admin
BigQuery Admin
Cloud SQL Admin
I was able to create the environment but If I try with exactly same permissions on production environment I get Custom service accounts need correct permissions for environment creation to succeed. as error after waiting for 50 mins.
I have also tried creating using Gcloud from client machine but that also didn't work out for me. I tried by disabling and re-enable the Composer API and created the environment again which also wasn't helpful. I have looked at following resources
https://groups.google.com/forum/#!topic/cloud-composer-discuss/Jcrh8d2X3uU
https://groups.google.com/forum/#!topic/cloud-composer-discuss/TnMDMq6Y-dU
https://groups.google.com/forum/#!topic/cloud-composer-discuss/A1xU5eTL4fg
GCP Cloud Composer - not able to create environment
Can someone tell me what permissions I need to create the Composer Environment.
Check the following 2 things in your production environment:
1) Domain Restricted Sharing Organisation Policy is turned off when creating Cloud Composer. You can re-enable this org policy after the composer environment is created.
2) VPC Service Controls is turned off.
Composer doesn't work well if any one of the above is turned ON.
When you create cloud composer environment , it crate pub/sub topic as well.
Please provide pub/sub admin role as well.
Related
I'm trying to add the needed roles for a CI pipeline to automatically deploy to firebase (by running firebase deploy.
The roles I've added so far are:
API Keys viewer
Artifact registry writer
Cloud build Service Account
Cloud Functions Admin
Cloud Run Viewer
Firebase App distribution admin
Firebase Authentication admin
firebase hosting admin
firebase rules admin
service account user
service usage admin
Honnestly at this point I'm just adding what sounds good, as the error message is not helpful:
There was an issue deploying your functions. Verify that your project
has a Google App Engine instance setup at
https://console.cloud.google.com/appengine and try again. If this
issue persists, please contact support.
It works when adding the Owner permission, so this is a permission issue.
As you want to deploy the entire project, the most applicable role would be Firebase Admin.
I use it in portuguese, so the translation in english may be different.
For deploying the hosting app IAM role must be either an Owner or Editor. Sometimes updating the latest version of a Node Package/Firebase tool will resolve the issue as per my experience.
npm install -g firebase-tools
It will provide the globally accessible firebase command.
For reference: https://firebase.google.com/docs/projects/iam/roles
For any deployments, you need the first Firebase token which is GCP_SA_key for whatever you want to deploy or update.
There are different scenarios let me elaborate with reference
Cloud Functions Developer IAM role for deploying functions
Cloud Scheduler Admin IAM role for scheduling your functions
Service Account User IAM role By default service account using the APP engine for the deployments process required a service account user role.
You need more roles for Updating Firestore to update rules, indexes, and files.
Firebase Rules Admin role for updating Firestore rules.
Cloud Datastore Index Admin role for updating firestore Indexes.
Firebase Hosting Admin role for updating files.
Further details reference added :GitHub Integration/deployments roles
I am currently using GitHub Actions to automate deploys to production, however, developers also have access to deploy code directly from their machines to production. I am wondering how to avoid this situation and only allow new updates to our hosting instance when it comes from an automated PR approval on GitHub.
The current workflow for developers is:
Create a new dev branch based on an assigned issue on GitHub
Develop code changes and test it on localhost via Firebase Emulators
Commit code changes to GitHub and creates a PR
GitHub Actions kicks in to deploy code changes in a preview channel for approval
After code review, PR is approved and code changes get deployed automatically to production
Since developers are required to provide firebase production credentials to initializeApp({...}) - there is no way to avoid a team member from deploying code directly from their machines to production.
Firebase client SDK for Javascript does not allow an app to be initialized withou real project credentials, which means there is no way to initialize an app "only for emulation".
Any thoughts on how to fix this?
Create a new Google account that is only used to deploy and change the developer permissions to only have read access to the production apps.
My requirement is to deploy an arm template using Azure pipelines.
I am referring to this document Deploying ARM Templates using Azure DevOps Pipelines – Thomas Thornton I don't think I have missed anything.
But I got the below error:
Exception Details: (InsufficientPrivilegesForManagedServiceResource) The requested user doesn't have sufficient privileges to perform the operation.
I have enough permissions to perform this but I do not know why I am getting this error
Api permissions
What permissions am I missing? Any suggestions??
The error "Insufficient permissions for deploying ARM template" usually occurs if there is any missing required permissions to perform the action.
Please note that, if you are deploying the ARM template at subscription level then you have to grant permissions for subscription level scope.
Try assigning the permissions at subscription level to resolve the error. You have to be having either Global Admin Role or Owner Role for your subscription.
You can refer this MsDoc to do the same.
You can also enable Access management for Azure resources as below:
Go to Azure Portal -> Azure Active Directory -> Properties -> Access management for Azure resources
You can refer the similar kind of issue solved by me in this SO Thread.
I am trying to implement a CI/CD workflow with Firebase hosting as production environment. So, I am writing a Dockerfile that reproduce Firebase environment.
The problem is: I don't find any technical documentation about how is made Firebase hosting environment.
What should I put into my Dockerfile ? Could a simple HTTP server be sufficient ?
So, my conclusion is that it's not possible to create Firebase hosting production-like container. As stated in the comments, all environments should use angular-cli emulator in order to simulate production environment.
We are bringing in a new developer for our Firebase web app project, who will start out by just learning the code in his local environment.
Since the new developer will be running Firebase CLI in the local env., is there a way to set up his initial role on the project such that he is [not able] to run firebase deploy commands?
~~~~~~~~~~~~~~~~~~~~~~~~~
I did find this doc from Google:
https://cloud.google.com/iam/docs/understanding-roles?_ga=2.49153190.-1888993.1468450573#curated_roles
It discusses deploy access in section: App Engine Roles .. not sure if that is for Firebase as well.
If so, are there any additional references for how to go about applying these kinds of roles to a Firebase project?
Anyone who has the "editor" or "owner" role for a project will be able to deploy (and generally make any other changes to the project). If you don't want an account to be able to deploy, don't give either of those roles.