I am wanting to disable the "Share dataset" feature of bigquery.
For my use case I would like to disable this feature as you can't control what data can be shared and and who with. This means datasets are shareable with anyone who has gmail account.
I've been experimenting with removing various IAM permissions and I can't seem to pin it down. I've also used chrome dev tools to see what the API call is but I can't trace it back to how I can prevent the sharing of datasets.
If this cannot be disabled can you at least lock it down to a specific domain?
Try the following steps to restrict the share option.
Add the user to the IAM and don't assign any role.
Share the dataset with the user with Can view role
Now the user can still see the Share dataset option, but if they try to share they will get the following error
As per BigQuery permissions and roles matrix only Admin, Data owner(BigQuery role), and the Owner of a dataset can share it. Make sure to give the least privilege needed to your users.
For example, give the respective user the bigquery.jobUser permission and share him the dataset with "can edit" permission. This setup will not allow the dataset to be shared.
Related
My team is attempting to move towards templatization of our services and their infrastructure.
We have found it to be extremely time-consuming to determine the set of permissions required to execute or update a given Cloudformation template. Our process is:
Create a user with permissions cloudformation:CreateStack and/or cloudformation:UpdateStack
Have that user attempt to create/update the specified stack
Observe which missing permission caused the stack operation to fail
Add that permission to the user
Go to 2.
The alternative to this would be to create a "God User" who has unlimited permissions and have that user execute the create/update - which seems to violate the Principle Of Least Privilege
Alternatively, is there a tool that can list "what permissions have been exercised by a given user in the past N minutes?". If such a tool existed, we could create the "God User", have them execute the template, and then create a more limited-scope user that has precisely the permissions that the God User had used.
There is no simple way/tool to do this.
Here are a couple of approaches you can try-
Using an User that has Admin priviledges, create the Stack. Once done, wait for 15-20 minutes for CloudTrail to populate. Now in CloudTrail list the API calls made by the 'Event Source' - 'cloudformation.amazonaws.com'. That should be roughly all the API calls required. There can be a few more calls required, for other operations as you keep on adding functionalities to the Resources. Again, you would need to figure that out this way.
Create a CFN service role , and add admin privileges to this Role. Use this Role to create/update/delete the Stacks. Allow the IAM users only iam:PassRole and cloudformation:* . However, users will be able to create different resources using CFN.
Use Service Catalog and create Products. Service Catalog Products are CFN Templates which can be launched by a specific user/Role/Group. The user does not need permission to create/modify the Resources in a Stack/Product. Also the end user cannot change the Product to add more Resources. Here's a great video that explains this stuff : https://www.youtube.com/watch?v=A9kKy6WhqVA
Hope this helps...
I have a question regarding Cumulocity. I want to create a site hierarchy in Cumulocity, we can go up to sub-tenant level only but I want to create a hierarchy up to 2 level.
Let's take an example of schools, its locations, and different branches. Here I want to attach an owner with each branch and that owner should be able to register only their own users and devices. I was trying to achieve it using groups, roles etc but was not able to do it. If anyone can suggest how to proceed for this use case.
I can see two possible options using which this can be tried:
Groups
Custom Apps (Angular apps)
But I am not sure how to proceed as there is no direct UI for the user to group assignment and REST API for this assignment is giving me errors.
You can use the inventory permissions for configuring access rights that are limited to a certain group see documentation
The managing of only your own users can be achieved by giving a user the global permission for USER_MANAGEMENT_CREATE. Make sure to revoke the ADMIN and READ role as well.
I would not recommend to solve this with apps on the UI side. That way you can of course hide information from the user but he may still be access it via API. Only with the RBAC you can really ensure on API level that the access is managed correctly.
I have a user with permissions across many projects (see image below).
I have a new user who just joined the company. I want to give him the exact same permissions. How can I do this? I don't want to do it manually because that will take me ages and the Google Cloud Documentation is useless! I cant find much on using gcloud command line to do this with examples.
There must be a easy way to duplicate permission?
Thanks
It is indeed possible to grant a role to a member for more than one project:
Open the IAM & Admin Projects page in the GCP Console.
Select all the projects for which you want to grant permissions.
Click the Show Info Panel, followed by the Permissions tab.
Enter an email address in the Add members field, and select the desired role from the drop-down menu.
Click the Add button. The member will be granted the selected role in each of the selected projects.
Granting access rights to project is an action fraught with security risks, so bulk gcloud commands or simple copying of roles are understandably not supported.
You can find more detail on the "Granting, Changing, and Revoking Access to Resources" documentation page.
I have an open source project with several contributors. The project's home page is hosted on Amazon S3. At the moment, the S3 bucket is on my personal account. Only I have access to it, and I pay the hosting (~$5 a month). There are other personal buckets on my account that contributors should not have access to.
I'd like to allow other contributors to modify the site. I'd also like to enable e.g. TravisCI to deploy to the site, which requires extending some credentials to third parties.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
Do I need MFA? If so, how to safely distribute TOTP keys?
Any provisions I should make for succession (i.e. bus factor)?
Anything else I should know?
Thanks for any ideas or experiences here.
Is it necessary to set up a separate Amazon account entirely, or is IAM sufficient for my needs?
You should probably have an account for this project that is separate from any accounts you use for purposes unrelated to this project, for clean separation and in case you want to hand over control. What isn't in the account doesn't need to be protected from users who shouldn't see it.
Cross-account privileges are possible, so if others already have accounts, it's possible for you to authorize their existing credentials without knowing their secrets, but it's more complex.
If IAM is the way to go, should there be a single IAM user shared among all contributors, or should I create a separate one for each contributor?
You should absolutely create one for each contributor. That's kind of a no-brainer. Accountability.
Do I need MFA? If so, how to safely distribute TOTP keys?
It depends on your need for the added security. MFA is great and it's also a hassle. But you don't have to (and shouldn't) distribute the MFA secrets for virtual MFA. The user can log in with his/her credentials and create and download that themselves if you allow it.
Any provisions I should make for succession (i.e. bus factor)?
Heh, bus factor. Yes, you probably need a trusted adjutant with a high privilege level. In my accounts we don't actually use the root credentials, ever, but typically two people have a physical copy of the root credentials, though we do sometimes ride together in the same elevator, and we really shouldn't do that.
Anything else I should know?
Read the documentation. It takes a bit of time to sink in, but it takes less time if you get your hands dirty and play with it. Be sure when granting privileges that you verify that things which should not work do indeed not work, not just verify that things which should work indeed do work. But that applies to any authentication and authorization implementation.
Use IAM instance roles in EC2. Even if you can't think of a reason why an instance needs a role, give it one with no permissions anyway, because an instance can only be given a role at launch... yet Formerly, you could only add an IAM role to an instance at launch, but AWS announced on 2017-02-09 that you can now attach an IAM role to an instance after launch. As always, you can change the permissions granted to a role at any time.
Read about user groups. Attach users to groups and policies to groups to simplify granting the same privileges to multiple users.
Unrelated: activate billing alerts for your account to notify you when costs exceed thresholds you select.
I created a project and a dataset in Bigquery. I can share the dataset with other developers but I cannot share the project. I get a 404 error when I click the "Team" link on the left pane. Is there a work around to share the project?
Dataset sharing in BQ is a little unintuitive - the actual sharing is pretty simple but the UX for the person you are sharing with is a little vague.
If you want to share:
Select the dataset
Select Share Dataset
Choose an email, google group, etc.
For data access only (w/o ability to run jobs on your project - so you're not billed for queries they make) choose the BigQuery Data Viewer role.
All this explained here: https://cloud.google.com/bigquery/docs/dataset-access-controls
Once this is done, the user you shared with will be able to run queries on the dataset BUT will not be able to view your project and dataset listed under their data resources on left hand side of BQ console.
This is because you've provided them IAM access to the dataset and not the project (which is the correct way to do it).
If they want to see the project/dataset listed they need to pin the shared project/project to their project in BQ console:
They should enter the BQ URL for the sharing project: https://console.cloud.google.com/bigquery?project=[SHARING_PROJECT_NAME]
Select the project on the data resource browser on the left and select PIN PROJECT
Go back to their original project on BQ console and will now see the shared project listed there as well.
You can share the dataset with a service account which is in any project.
I think you can do the same with regular user accounts without adding to the project.
https://cloud.google.com/dataprep/docs/concepts/cross-bq-datasets
From BigQuery webconsole "share dataset" option:
You can share with these type of accounts
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
Google Apps domain: example.com
anybody: enter "allUsers" to grant access to the general public
all Google Accounts: enter "allAuthenticatedUsers" to grant access to any user signed in to a G[![enter image description here][1]][1]oogle Account (warning: shares publicly with users outside of your organization)