I have a GCP Project and Anthos Cluster deployed within it.
If I am an admin of an Anthos cluster but not an Owner of the parent project, I have only read rights on Kubernetes and cannot create any resources. Getting:
Error from server (Forbidden)
I've given myself "Kubernetes Engine Admin", "Kubernetes Engine Cluster Admin", "Anthos Multi-cloud Admin" roles, but no success. It seems like "Owner" role is mandatory.
Also my user is attached to ClusterRole/cluster-admin through ClusterRoleBinding/gke-multicloud-cluster-admin, but I definitely need IAM Owner role.
Is this by Anthos design or I am missing something?
This was solved by giving myself these roles:
roles/gkehub.viewer
roles/gkehub.gatewayEditor
Now, I can create Kubernetes resources even if I am not an Owner of the GCP project.
Related
In AWS DMS, I am having an error when I try to create Target Endpoint.
I am trying to migrate MariaDB to Elasticsearch, and so the service of Target Endpoint is AWS Elasticsearch service.
However, it requires me to add IAM user but even I add an IAM user with Administrator policy it keeps saying that
The IAM Role arn:aws:iam::[number]:user/[username] is not configured properly.AccessDenied
What kind of IAM policies are required for this task?
you can get the policy document from here
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.DynamoDB.html
I am using the Golang library cloud.google.com/go/logging and want to send runtime logging.
Already have a GOOGLE_APPLICATION_CREDENTIALS .json file - and am using google storage and firebase - so I know the credentials are working.
With logging, I get an error "Error 403: The caller does not have permission, forbidden"
The account in the application credentials is a service account and I have been looking at the IAM permissions. There is not an obvious permission for logging (there are other stackdriver permissions, for debug, trace etc but these don't seem to work).
So assuming I am in the right place so far - what permissions does the service account need in order to send logging data to stackdriver logging?
If we look at the API for writing entries to a log we find that the IAM permission logging.logEntries.create is required.
A more detailed article can be found at Access control guide.
This describes a variety of roles including:
roles/logging.logWriter
According to the official documentation:
Using Stackdriver Logging library for Go requires the Cloud IAM Logs
Writer role on Google Cloud. Most Google Cloud environments provide
this role by default.
1.App Engine grants the Logs Writer role by default.
2.On Google Kubernetes Engine, you must add the logging.write access scope when creating the cluster:
3.When using Compute Engine VM instances, add the cloud-platform access scope to each instance.
4.To use the Stackdriver Logging library for Go outside of Google Cloud, including running the library on your own workstation, on your data center's computers, or on the VM instances of another cloud provider, you must supply your Google Cloud project ID and appropriate service account credentials directly to the Stackdriver Logging library for Go.
You can create and obtain service account credentials manually. When specifying the Role field, use the Logs Writer role. For more information on Cloud Identity and Access Management roles, go to Access control guide.
Setting Up Stackdriver Logging for Go
gcloud iam service-accounts list
gcloud projects add-iam-policy-binding my-project-123 \
--member serviceAccount:my-sa-123#my-project-123.iam.gserviceaccount.com \
--role roles/logging.logWriter
I created an Ubuntu server on Amazon AWS.
Then I registered for Forge, and now trying to configure it.
I selected source control to be Bitbucket.
I selected Amazon in Server Provider Section,but now I am not sure what to put in key and secret
I found the answer to this question,
We need to create a IAM user and opt for api access key and secret.
also remember to give access to at least FullEC2Admin Access to this user before initiating the process to create and provision the server via forge.
I am trying to learn my way of developing a REST app via Spring Boot framework using the AWS Elastic Beanstalk infrastructure. I am using the IntelliJ IDE to develop and test the app on my local box before deploying it to the AWS Elastic BeanStalk server. I am trying to talk to the AWS RDS instance in my app. With the following code snippets my app is able to talk to RDS instance when deployed and run against my local box but gives me http 404 when deployed on the AWS server which i guess is because the deploy failed due to failure to connect to the RDS instance from AWS.
Project POM file
Application Properties file
User Repository file
I am looking for a correct way to configure these secrets so that they are not present in the git. Ideally take it from AWS environment variables defined for the instance but i am not able to figure out how the spring boot application properties files can access AWS Elastic BeanStalk environment configuration variables.
I have read some documents and tutorials but not exactly able to figure this out. Like Spring Cloud SDK, Sample Spring Boot AWS App
[Edit 1] To provide more information, I was able to ssh into the box and observe the logs. The point of interest is :
Caused by: com.amazonaws.AmazonServiceException: User: arn:aws:sts::486695215273:assumed-role/aws-elasticbeanstalk-ec2-role/i-dc86381f is not authorized to perform: cloudformation:DescribeStackResources (Service: AmazonCloudFormation; Status Code: 403; Error Code: AccessDenied; Request ID: 1ee8c03b-ecd4-11e5-9fe1-378ce4cb26d3)
[Edit 2] After adding AWSCloudFormationReadOnlyAccess security policy in the required policy,
Stack for i-dc86381f does not exist (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: f579cc15-ecd4-11e5-a20b-114992e25084)
My template file as mentioned in AWSCloudFormation is My Template File
Configuring Elastic Beanstalk "secrets", or environment variables, can be done via the cli or via the GUI. For the cli use:
eb setenv ExampleVar=ExampleValue
Which is pretty straight forward. Docs here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/eb3-setenv.html
To do it via the GUI you'll navigate to your application and the desired environment, click on Configuration in the left hand menu. Click the gear icon on the "Software Configuration" panel, and you'll be taken to the the configuration page where you can set "Environment Properties", which are key/value pairs... You can set a property name and then the property value and when you click "apply" they'll be applied to your environment and then your application can access them however it would normally access environment variables in production.
I am new to Cloud Foundry and I want to set up a local CF instance in Vagrant. I followed the steps described in http://docs.cloudfoundry.org/deploying/boshlite/ and got a local instance up and running. I am also able to deploy a simple Ruby app into CF.
Now I want to deploy the Spring sample application from https://docs.cloudfoundry.org/buildpacks/java/gsg-spring.html into CF for which I need a ClearDB database service.
Using the command proposed to create a service instance cf create-service cleardb spark mysql I get the following error:
Creating service instance mysql in org test-org / space test-space as admin...
FAILED
Service offering cleardb not found
When I check my service marketplace in my CF installation with cf marketplace I get
Getting services from marketplace in org test-org / space test-space as admin...
OK
No service offerings found
This brings me to the suggestion that there are "no services installed". So my question is: how can I install a clearDB service in a local CF environment - and is this possible at all, since the Github projects says something like
Prior to deployment, the operator should define three subnets via their infrastructure provider. The MySQL release is designed to be deployed across three subnets to ensure availability in the event of a subnet failure. During installation, a fourth subnet is required for compilation vms.
Any help / resource is highly appreciated. Thanks a lot!
Cloud Foundry as a Pivotal-sponsored open source project predates Cloud Foundry as its own independent open source project, so what you're seeing is actually shared documentation that still has some references specific to Pivotal Web Services: http://docs.run.pivotal.io/buildpacks/java/gsg-spring.html. I'd encourage you to raise the issue against the buildpacks documentation repo (https://github.com/cloudfoundry/docs-buildpacks/issues), you can reference this search result: https://github.com/cloudfoundry/docs-buildpacks/search?utf8=%E2%9C%93&q=cleardb
All it means is you need a MySQL database service. Hosted Cloud Foundry offerings often have ready-to-go MySQL service offerings (such as ClearDB) in their marketplaces; if you're deploying your own Cloud Foundry then you have a couple options.
Provision a MySQL database externally (not as part of your BOSH-Lite), and bind it to your application as a "user-provided service": https://docs.cloudfoundry.org/devguide/services/user-provided.html
Deploy your own MySQL service to BOSH-Lite and register a service broker. Here's a release that's ready to use, with instructions for deploying: https://github.com/cloudfoundry/cf-mysql-release