Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Enable APIs using serviceusage API with a service account

Tags:

python

authentication

google-cloud-platform

google-cloud-iam

google-auth-library

I want to create an automatic deployment of GCP for clients.

In order to do that, I have opened a page for them to login with google, and then enabled the IAM API and the Service Usage API.

Then I have created a service account that I want to use from this point forward in order to enable other required APIs on demand and not all at once.

When I try to enable the cloudkms API, I get 

googleapiclient.errors.HttpError: <HttpError 403 when requesting https://serviceusage.googleapis.com/v1/projects/x-y-z/services/cloudkms.googleapis.com?alt=json returned "The caller does not have permission"

I tried using the service account credentials (google.auth.jwt.Credentials) that I have created from the response of creating the service account, and I have added all the required permissions. I don't want to grant the role owner to the service account, because I want the account to have as less permissions as possible.

When I try to get the status of cloudkms API using the user's permissions, it works.

I have seen some solutions addressing me needing to create credentials for the service account here : https://console.developers.google.com/apis/credentials but I really need to do this programatically as well.

My code:

credentials = jwt.Credentials.from_service_account_file(service_account_info['email'] + '.json', audience="https://www.googleapis.com/auth/cloud-platform")
# credentials = GoogleCredentials.get_application_default() - it works with this
service_usage = googleapiclient.discovery.build('serviceusage', 'v1', credentials=credentials)
service_usage.services().get(name="projects/<project_id>/services/cloudkms.googleapis.com").execute()

The error was mentioned above.

like image 365
Elvira Gandelman Avatar asked May 08 '19 10:05

Elvira Gandelman

1 Answers

You need the Cloud IAM permission serviceusage.services.enable to enable services. Depending on what features your require, such as listing services, you need serviceusage.services.list.

Typically you add the role roles/serviceusage.serviceUsageAdmin which includes the following permissions:

  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.enable
  • serviceusage.services.disable
like image 73
John Hanley Avatar answered Oct 19 '22 22:10

John Hanley
Sign in to Comment

Related questions

How can I embed Superset Apache into Flask web app?
How to link interactive problems (w.r.t. CodeJam)?
How to extract value from span tag
How to install google.cloud automl_v1beta1 for python using anaconda?
Labels of datasets imported with sklearn.datasets.load_files
Why is there a discrepancy in memory size with these 3 ways of creating a list? [duplicate]
How do I find all 32 bit binary numbers that have exactly six 1 and rest 0
Python: Using Elasticsearch Scan to get more than 10,000 results ScanError
Sort huge JSON file using bash or python
Finding closest value while grouping by a column
Why is my program became really laggy after I added rotation, and how do I fix this?
Understanding inconsistent cythonized code behavior - PyQt5 vs. PySide2
Layout and Dropdown menu in Dash - Python
Heroku app successfully deploying, but receiving application error when loading site
Use the highest value for duplicate IDs (Pandas DataFrame)
How to handle Google Authenticator with Selenium
Pandas datetime week not as expected
Displaying matplotlib plot using Flask
Iterable unpacking and slice assignment
requests.exceptions.ConnectionError: HTTPConnectionPool(host='127.0.0.1', port=8000): Max retries exceeded with url: /api/1/

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!