'Permissions for creating OAuth credentials in Google Cloud

Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.

It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error: You don't have permission to view API keys, OAuth clients, and service account keys.

Roles/Permissions: -App Engine Admin -Cloud Functions Developer -Cloud Datastore Owner -Service Account Admin -Source Repository Administrator -Storage Admin

google-app-enginepermissionsgoogle-cloud-platform


Solution 1:[1]

So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.

I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:

"Custom API"

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • serviceusage.apiKeys.create
  • serviceusage.apiKeys.delete
  • serviceusage.apiKeys.get
  • serviceusage.apiKeys.getProjectForKey
  • serviceusage.apiKeys.list
  • serviceusage.apiKeys.regenerate
  • serviceusage.apiKeys.revert
  • serviceusage.apiKeys.update

"Custom Client Auth"

  • clientauthconfig.brands.create
  • clientauthconfig.brands.delete
  • clientauthconfig.brands.get
  • clientauthconfig.brands.list
  • clientauthconfig.brands.update
  • clientauthconfig.clients.create
  • clientauthconfig.clients.createSecret
  • clientauthconfig.clients.delete
  • clientauthconfig.clients.get
  • clientauthconfig.clients.getWithSecret
  • clientauthconfig.clients.list
  • clientauthconfig.clients.listWithSecrets
  • clientauthconfig.clients.undelete
  • clientauthconfig.clients.update

*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.

Solution 2:[2]

You can go to the roles page: https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]

And there you can filter for the permission you need: enter image description here

Now you can see in the list all the roles include the permission you need, and you can return to the IAM page: https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]

And select one of those rules:

enter image description here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 bryce
Solution 2 Israel

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project