Basically I would like to toggle this setting via Azure CLI on an azure storage account that has already been created.
I need to toggle from Enabled(Selected Networks) to Enabled ( All Networks) and vice versa.
I tried to reproduce the same in my environment and got the below results:
I have one storage account where public network access is "Enabled from selected virtual networks" like below:
To toggle from "Enabled from Selected Networks" to "Enabled from All Networks" via Azure CLI, you can make use of below command:
az storage account update --resource-group group_name --name accountname --default-action Allow
I ran the above command in Azure Cloud Shell where it toggled to "Enabled from All Networks" after one refresh like below:
Now, to toggle from "Enabled from All Networks" to "Enabled from Selected Networks" via Azure CLI, you can make use of below command:
az storage account update --resource-group group_name --name accountname --default-action Deny
When I ran the above command, it again changed to "Enabled from Selected Networks" after one refresh like below:
Related
I would like to know whether it is possible to attached a service account created in my-project-a to a Google Compute Engine instance in say my-project-b?
The following command:
gcloud beta compute instances create my-instance \
--service-account=my-service-account#my-project-a.iam.gserviceaccount.com \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--project=my-project-b
gives me the following error:
(gcloud.beta.compute.instances.create) Could not fetch resource:
- The user does not have access to service account 'my-service-account#my-project-a.iam.gserviceaccount.com'. User: 'me#mysite.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account. me#mysite.com is my account and I'm the owner of the org.
Not sure whether this is related, but looking at the UI (in my-project-b) there is no option to add a service account from any other projects. I was hoping to be able to add the account my-service-account#my-project-a.iam.gserviceaccount.com
You could follow these steps to authenticate a service account from my-project-a to an instance in my-project-b:
Create a service account in my-project-a with the proper role for compute engine
Download the JSON file.
Copy the my-project-a new service account email
On my-project-b, add a team member by using the copied email from the previous step
Connect via SSH to your instance in my-project-b
Copy the JSON file from the step 2 on your my-project-b instance
Run the following command to activate the service account:
gcloud auth activate-service-account --key-file=YOUR_JSON_FILE
Verify by using the following command:
gcloud auth list
Once you have a vpn tunnel up and running there does not appear to be a method to view all the details of the tunnel from either the Google Cloud Console or the gcloud command line. Specifically the route policies that were configured when the tunnel was initially setup are missing from the describe.
Is there a method to see this information?
This a known behavior. The Developers Console doesn't set the remoteTrafficSelector when creating the tunnels through it.
The Developers Console creates the necessary routes and shows the "Remote ranges" based on them.
The workaround is to create the VPN tunnels using the Compute API or Cloud SDK with the following command:
gcloud compute vpn-tunnels create NAME --region=REGION --peer-address=PEER_ADDRESS --shared-secret=SHARED_SECRET --target-vpn-gateway=TARGET_VPN_GATEWAY --local-traffic-selector=CIDR --remote-traffic-selector=CIDR
You can click on the star icon in the Public Issue Tracker to get updates when there is any progress on it.
Note: This doesn't have any impact on the VPN tunnel functionality.
I'm trying to set up read/write access to a Cloud Storage bucket from a GCE instance, using a service account, but don't get the permissions. I have done the following:
Created service account, let's say 'my-sa'
Created a bucket, let's say 'my-bucket'
In IAM console for my project, assign role 'Cloud Storage admin' to service account
Created a new GCE instance via the console, assigned to service account 'my-sa'. Access scope is then automatically set to cloud-platform
Connect to instance using gcloud compute ssh as my user (project owner)
Run gsutil ls gs://my-bucket
Expected behaviour: get list of items in bucket
Observed behaviour:
gsutil takes about 5 seconds to think, then gives:
AccessDeniedException: 403 my-sa#my-project.iam.gserviceaccount.com does not have storage.objects.list access to bucket my-bucket.
Things I've tried:
gcloud auth list on the instance does show the service account, and shows it as being active
I've added more permissions to the service account (up to project owner), doesn't make a difference
I also can't use other permissions from the instance. When I give Compute Engine Admin role to the service account, I can't run gcloud compute instances list from the instance
I've removed the .gsutil dir to make sure the cache is cleared
With the default Compute Engine service account, I can list the buckets, but not write (as expected). When I add the Cloud Storage read/write access scope from the console, I can also write
I really don't have a clue on how to debug this anymore, so any help would be much apprreciated
I was having issues with internet access on a Windows Server 2012 VM, and accidentally disabled the NIC via RDP. Now I can't access the VM.
I tried editing the instance from console; I wanted to add a 2nd NIC, but couldn't do so. I saw something about having to add another "network" but couldn't figure it out.
Is there any way to re-access this VM??
You can re-enable the network interface on the Windows VM using the Serial port.
Try these steps:
Open the VM instance page from the Google Cloud Platform Console.
Click Edit on the top bar.
Enable the Enable connecting to serial ports option and click Save.
Start the VM if it isn't already running.
You will be taken back to the VM's info page and now you can select Connect to Serial port dropdown, select Port 2.
A new window will open up and you will get the Special Administration Console (SAC). Run cmd in this serial command prompt.
Open up Command prompt channel by pressing Esc + Tab.
You will have to login as admin on that instance using your admin credentials.
In the command prompt, you can enable back your network interface by running these commands:
Commands:
# List all network adapters - The name is important
netsh interface show interface
# Enable the network adapter
netsh interface set interface "MY_NETWORK_ADAPTER_NAME" admin=enable
Your instance's network adapter should now be enabled and you should have network access to your VM now.
I have observed similar problem on a windows server, where it was not able to resolve Metadata server and auto assigned an APIPA address 169.254.x.x
Performed troubleshooting steps as per Google documentation, also tried with restarting network related services, nothing worked. Finally reached to this post and tried the following and it got fixed..!
netsh interface set interface name="NAME OF INTERFACE" admin=disabled
netsh interface set interface name="NAME OF INTERFACE" admin=enabled
Not sure why windows behaves as such, Hope this helps
I'm trying to do gcloud init on my fresh GCE instance using a service account that I've created in the Developers Console. In the Developers Console, I see a few service accounts under Permissions, which I can't generate private key files for; I also see a service account that I made under Service accounts which I can get private keys for.
When I do gcloud init on the GCE instance, under "Pick credentials to use", I only see the service accounts in the Permissions tab (for which I don't have private keys). I'd like to use the service account that I have private keys for.
I can log in with my personal account for now, but this isn't scalable. Any advice?
You can use gcloud auth activate-service-account command to get credentials via the private key for a service account. For more information and example please visit this link.
Elaborating on #Kamaran's answer after further discussion.
The basic solution is to enable the service account on the GCE instance.
First use gcloud compute copy-files <private json key file> <instance name>:remote/path/to/key to copy the file to the remote instance. Then run gcloud auth activate-service-account <service account address> --key-file remote/path/to/key command on the remote. The new service account will then be available in the gcloud init menu.