How to enable access to datastore for root user - google-compute-engine

I'm trying to use the nodejs lib for Datastore from a Compute Engine machine. The code runs well when I run it with my user on the Compute Engine machine. But when I run it with sudo I get an error of Request had insufficient authentication scopes. Looking at the setting of the machine, I found that the service account of the machine does not have access to Datastore - but no option to enable access!
How do I grant the root user access to Datastore?

Set IAM permissions for service accounts in "Developer Console -> IAM & Admin -> IAM".

Related

not able to login in google cloud storage sql instance

I made instance in Google Cloud > Storage > SQL > MYSQL. Now I have to import database in it so I am trying to connect to MYSQL
using adminer, but it gives following error
SQLSTATE[HY000] [2002] Operation timed out
I also tried via HeidiSQL > MariaDB or MYSQL (SSL Tunnel) but here also it does not connect and gives error
https://prnt.sc/o58in0
I am mentioning
Host: Public Ip of SQL instance
Username: root
Any suggestions, what could be the fix?
Your error typically means that a firewall blocked your connection attempt.
For Cloud SQL, this typically means that you have not enabled instance-level access.
Since your error is 10060, which is a Windows WinSock error message, I am assuming that you are running on Windows. The steps are similar for Linux.
There are two methods to enable access to Cloud SQL:
Cloud SQL Proxy
This is the recommended method and is secure. Download and install the Cloud SQL Proxy to your the computer that you want to connect from. If you have set up the Cloud SDK (gcloud), Cloud SQL Proxy will use your Cloud SDK credentials. If not, then you will need to create and download a service account with (usually) the Cloud SQL Client role.
You will need the "instance connection name" from Cloud SQL Instance details page.
Download Cloud SQL Proxy (link) to your computer. Remember the full path to the program. Save the program as "cloud_sql_proxy.exe"
Start the Cloud SQL Proxy
[full_path_to_program]\cloud_sql_proxy -instances=[INSTANCE_CONNECTION_NAME]=tcp:3306
OR
[full_path_to_program]\cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306 -credential_file=[PATH_TO_KEY_FILE]
Connect using mysql.exe: `mysql -u USERNAME -p --host 127.0.0.1
Public IP Method
The second method is not secure unless you also enable SSL, which I will not cover in this answer. I do not recommend this method except for knowledgeable persons.
Figure out what your public IP address is. Go to any website such as "MXToolbox" https://mxtoolbox.com/whatismyip/
Go to the Google Cloud Console
Go to the Cloud SQL Instances Details page
Select the Connections tab
Click Add network
In the Network field, enter your Public IP address using CIDR notice: eg 145.11.22.33/32
Enter a name such as "My Home IP"
Click Done
Click Save
Note: Most home Internet services change your Public IP address periodically. This means that you will need to update your Public IP address in Cloud SQL if you are using the second method.

GCE instance does not get permissions from service acount

I'm trying to set up read/write access to a Cloud Storage bucket from a GCE instance, using a service account, but don't get the permissions. I have done the following:
Created service account, let's say 'my-sa'
Created a bucket, let's say 'my-bucket'
In IAM console for my project, assign role 'Cloud Storage admin' to service account
Created a new GCE instance via the console, assigned to service account 'my-sa'. Access scope is then automatically set to cloud-platform
Connect to instance using gcloud compute ssh as my user (project owner)
Run gsutil ls gs://my-bucket
Expected behaviour: get list of items in bucket
Observed behaviour:
gsutil takes about 5 seconds to think, then gives:
AccessDeniedException: 403 my-sa#my-project.iam.gserviceaccount.com does not have storage.objects.list access to bucket my-bucket.
Things I've tried:
gcloud auth list on the instance does show the service account, and shows it as being active
I've added more permissions to the service account (up to project owner), doesn't make a difference
I also can't use other permissions from the instance. When I give Compute Engine Admin role to the service account, I can't run gcloud compute instances list from the instance
I've removed the .gsutil dir to make sure the cache is cleared
With the default Compute Engine service account, I can list the buckets, but not write (as expected). When I add the Cloud Storage read/write access scope from the console, I can also write
I really don't have a clue on how to debug this anymore, so any help would be much apprreciated

Grant Remote Access to mysql server installed on Google Compute Engine

i have followed all instructions give across google but somehow i am unable to get access from my desktop to a remote mysql database installed on Google Compute Engine.
I have done the following
a) create user and grant him permissions to get access remotely
b) allow the port in firewall
c) comment out bind-address
but still i get the error
when i try to connect from my remote windows client.
where i am i missing a required step??? Please help...
Ensure that you have allowed TCP traffic from your location to VM in question to port 3306 on a project level in Cloud Console or using CLI:
gcloud compute firewall-rules list
More about setting up firewalls in official documentation:
https://cloud.google.com/compute/docs/vpc/firewalls
As far as I can tell, google doesn't allow remote connections to a mysql DB on cloud engine. Only between VMs, but now with an external client.
It is only allowed if you are using a dedicated Cloud SQL instance
See the first paragraph on this article (I'd be happy to be proven wrong though):
https://cloud.google.com/solutions/mysql-remote-access
Near the bottom they indicate non-compute engine access is out of scope for the article, but tells you to basically do the same stuff and set the google firewall for external access and the db user to access from outside.

Access MySQL server remotely

I install mysql manually by sshing the virtual disk of google compute engine . I already create user by following this mysql-adding-user-for-remote-access
and I bind address = 0.0.0.0 then restart mysql service, when I connect remotely using external ip address and the created user it doesn't work. How can I connect I am using HeidiSQL mysql client tool.
Thank you in advance.
By default - the mysql port is closed on google cloud platform. If you want to allow external access you should open that port in the firewall.
To do so you can run (using gcloud):
$ gcloud compute firewall-rules create "mysql-remote-access" --allow tcp:3306 --source-tags "mysql-client" --target-tags "mysql-server"
(Or use the CONSOLE for that: https://console.cloud.google.com/firewalls/add?_ga=1.140859190.569287361.1481048942 )
Note that you will also need to create a user (in mysql) that has access privileges from your own IP, and set this user privileges to allow access to the database you are using).
In my case, I had to also open the firewall within Windows in addition to opening the port using Google VPC networking.
Make sure both boxes (public and private) are checked next to MySQL 57 in the Windows Firewall app.

Report Manager - Access to the temp directory is denied

I'm trying to access the Reporting Services 2005 Report Manager locally on a Windows Server 2003 server and I'm getting the following error:
Access to the temp directory is denied. Identity 'DOMAIN\login'
under which XmlSerializer is running does not have sufficient
permission to access the temp directory. CodeDom will use the user
account the process is using to do the compilation, so if the user
doesnt have access to system temp directory, you will not be able to
compile. Use Path.GetTempPath() API to find out the temp directory
location.
The DOMAIN\login given in the error message is my user login account. The Reports virtual directory in the Default Web Site is configured to use the DefaultAppPool which is configured to run as the Network Service identity. The SQL Server Reporting Services windows service is configured to use a separate domain service account.
Grant the NETWORK SERVICE account read/write/modify access to the C:\WINDOWS\Temp directory.