I'm working with the SAP cloud platform with Neo and Cloud Foundry Applications/Organizations on it. Currently I have the task to get all role collections from the cloud foundry applications and all the roles (or better called groups) from Neo.
Currently I can access the CF SCP API through the v3 cloud controller and get for example all roles from the cloud foundry applications.
The two problems I'm facing are that:
I dont know how to get the role collections, because I couldn t find anything in the documentation (I can get the roles but they do not link with the role collection because I think role collections are a SAP thing and not a CF thing).
I dont know how to access the NEO-API (I never worked with NEO) and I dont know how to get roles/groups from it
Does anybody know how I can do these things and has documentation for me so I can read a little further?
Related
I have google cloud build set up, and I'd like t away to make the builds publicly visible, to use in an open source project, a bit like how TravisCI and CircleCI offer - see an example below:
https://travis-ci.org/wagtail/Willow/pull_requests
Is this possible?
Can you make it possible to inspect a build to a non-signed in user?
A solution could be to use Google Identity and Access Management to grant the Cloud Build Viewer role to allUsers. However, this cannot be done at the moment.
The idea is to give the cloudbuild.builds.get and cloudbuild.builds.list permissions to everyone on the internet, which would allow them to call those Cloud Build API methods that require these permissions. You can grant roles to Google Accounts or Groups, Service accounts or G Suite domains, but not to everyone.
You can find detailed instructions to grant roles through the GCP console in the Cloud Build documentation.
When using the CLI gcloud commands, I can do everything action on my database. Yet when I try to do the same thing from Go (from the same shell instance as I did when using the gcloud commands) I get an error with the message:
spanner: code = "PermissionDenied", desc = "Resource projects/todo/instances/todospanner/databases/tododb is missing IAM permission: spanner.sessions.create."
The code I am trying to run is taken from the example found here: https://cloud.google.com/spanner/docs/getting-started/go/
I can't find that permission (spanner.session.create) in the spanner permissions either. I've been playing around with setting all permissions I could find related to spanner, on the account which I've used to log in with gcloud.
my GOOGLE_APPLICATION_CREDENTIALS are set and I've also tried with gcloud beta auth.
Cloud Spanner IAM roles including the permission spanner.session.create are listed and described here: https://cloud.google.com/spanner/docs/iam#roles
Note how some of the roles are specific to a Person while others are Machine-specific (or Service Account specific).
You need to specify where are you connecting from or executing the code (Cloud Shell instance, VM running on GCE, on-prem machine or laptop) and to ensure that correct roles are assigned to a Person or a Service Account which is attempting to execute the code and access Cloud Spanner instance.
Consider this scenario:
your gcloud SDK may be well credentialed with person#domain.com account which has granted roles/spanner.admin role, so everything works fine for gcloud
the VM hosting your code and SDK is running as 12345678901-compute#developer.gserviceaccount.com Service Account and that one has no access to Cloud Spanner whatsoever, causing troubles.
More information on Service Accounts here:
https://cloud.google.com/compute/docs/access/service-accounts
Probably you didn't add access to your database tododb for account in the file pointed by GOOGLE_APPLICATION_CREDENTIALS. Use, for example, Cloud Spanner Database User role for this account in Google Console.
I need to set up a repository where multiple people can go to drop off excel and csv files. I need a secure environment that has access control so customers logging on to drop off their own data can't see another customers data. So if person A logs on to drop a word document they can't see person B's excel sheet. I have an AWS account and would prefer to use S3 for this. I originally planned to setup an SFTP server on an EC2 server however, I feel that using S3 would be more scalable and safer after doing some research. However, I've never used S3 before nor have I seen it in a production environment. So my question really comes down to this does S3 provide a user interface that allows multiple people to drop files off similar to that of an FTP server? And can I create access control so people can't see other peoples data?
Here are the developer resources for S3
https://aws.amazon.com/developertools/Amazon-S3
Here are some pre-built widgets
http://codecanyon.net/search?utf8=%E2%9C%93&term=s3+bucket
Let us know your angle as we can provide other ideas knowing more about your requirements
Yes. It does, you can actually control access to your resources using IAM users and roles.
http://aws.amazon.com/iam/
You can allow privileges to parts of an S3 bucket say depending on the user or role for example:
mybucket/user1
mybucket/user2
mybucket/development
could all have different permissions.
Hope this helps.
One of my clients wants to understand IAM feature before migrating business application to Amazon cloud.
I have figured out two use cases which we can recommend to our client, these are:
Resource-Level Permissions for EC2
• Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
• Control which users can terminate which instances.
• Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s)
IAM Roles for Amazon ec2 resources
Command Line Usage
• Unix/Linux/Windows - Use the AWS Command Line Interface, which is a unified tool to manage the AWS services. We can access the Command Line Interface using the EC2 instance launched with IAM role support without specifying the credentials explicitly.
Programmatic Usage
• Use the appropriate AWS SDK for your language of choice. Configure it without specifying the credentials.
I would like to know other capabilities of IAM which we can recommend to our client and other use cases which you can recommend to us. Please let us know if any further explanation is required.
Any prompt response will be highly appreciated.
Thanks in advance
This is a very useful feature of AWS !
User Management - If you are a large team, you will have to give different users (or developers/testing, deployment) different type of permissions. Access levels like (say S3 read-only, DynamoDB full-access etc).
Manage Users : http://aws.amazon.com/iam/details/manage-users/
Not to keep credentials in code. Is you use IAM roles, you can mention that say an EC2 should work on this role. This will help you achieve things like "cluster with only access to S3, not DB")
IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Handle Release staging. This is a benefit from the ROLE. You move apps from dev, qa, staging and prod. I usually keep different accounts for this. In this case, if you configure the EC2 to run on roles, then the stage difference can be handled witout code change. Just move the build from one account to another, and it works with no risk!
Lot of other benefits;
Product Details : http://aws.amazon.com/iam/details/
I'm having trouble finding a web interface in Heroku to write SQL queries that can be created by app collaborators. I want to be able to query from a computer that doesn't have the heroku toolbelt installed as a collaborator.
Currently, I've been using the dataclips feature to do such a task, however it only allows the query to be modified by the app owner.
I'm not sure if I'm just misunderstanding how Heroku Dataclips works or just can't find a feature that allows collaborators to do such a task?
Collaborators in your application can also modify dataclips. However data clips are intended to be a 'data clip' and not a webUI onto your database. Giving anyone the ability to update your application/data requires them to be a collaborator. Heroku provides no other security role than that.