Permissions problem trying to create a sink #1614
Comments
|
@jgeewax please loop in whoever would be able to point me in the right direction from the logging API team. |
|
More likely an error on my part: the failed request was trying to do a |
|
But I'm betting that when I do get that part right, then the 403 will trigger because I don't have the bucket permissions set correctly. |
|
Grrr. Switching to That same URI works fine in the API Exploder. |
|
@jgeewax Any ideas? |
|
@callmehiphop @stephenplusplus @blowmage have you run into this? |
|
Yes! Check this out: googleapis/google-cloud-node#1156 |
|
Related Ruby issue: googleapis/google-cloud-ruby#569 |
|
IIRC the Pub/Sub IAM issue is different. The issue with creating Logging Sinks is that it requires a user account, not a service account. This is imposed by the API, and there isn't much we can do to get around it. @quartzmo, does that sound right? |
|
Ah, my bad. We were getting errors creating Sinks with a Pub/Sub Topic as a destination, which traces back to the Pub/Sub IAM change, so I jumped at a connection between that issue and this one. Indeed, you must be authenticated as a user (through the gcloud SDK works). Here's the official word from a Logging member: googleapis/google-cloud-node#842 (comment) |
|
There are some additional steps for creating a sink to a Bucket, and @quartzmo was chasing that info down for our docs, so I'll defer to him on that as well. 😅 |
|
Unfortunately I haven't gotten it working yet, but I'll try again today.
|
|
@blowmage, @quartzmo The thing I found yesterday is that the bucket's ACL must include the from gcloud import storage
storage_client = storage.Client()
bucket = storage_client.create_bucket(BUCKET_NAME)
bucket.acl.reload()
logs_group = bucket.acl.group('cloud-logs@google.com')
logs_group.grant_owner()
bucket.acl.add_entity(logs_group)
bucket.acl.save() |
|
Yep, needing to grant that account ownership of the bucket is what we've seen as well. |
|
Actually I don't think I ever set up the ACL like that, so thanks, I'll try it. |
|
@tseaver Adding |
|
@blowmage wrote:
@jgeewax Is there someplace where we can at least "argue with the ref" about this restriction? It seems perverse to deny service accounts the ability create logging sinks, when they can create and delete storage buckets, pubsub topics, bigquery datasets, bigtable clusters, etc. |
|
I agree it would be nice if the service did this for us. My guess is that it has to do with Storage not using IAM for permissions. Is adding permissions to the bucket something we should do in our libraries when creating a sink? |
Pubsub uses IAM, and allows service accounts to create topics / subscriptions.
Good question. Doing so "magically" would feel wrong to me. Maybe we should expose convenience functions, e.g., |
|
FWIW, the logging API docs say:
I thought I had read (in the docs for @jgeewax we will need to ensure that the system account used by Travis has the |
|
@tseaver Do you have access to edit that project in the Cloud Console? |
|
@dhermes The only project which shows up for me in the "Manage all projects" view is my own. |
|
OK. I can make the changes. Send me an email with the changes you want? |
While working on a system test for
Sink.create, I'm running into a permissions problem:Sinks.createis documented to require one ofhttps://www.googleapis.com/auth/logging.adminorhttps://www.googleapis.com/auth/cloud-platform.My client is set up with all permissions for the logging API:
Do I have to do something in the developer control panel to enable sinks?
The text was updated successfully, but these errors were encountered: