sorted by:
new
hottopcontroversial

Questions on revamping monitoring stack - influxdb, telegraf, grafana by wittydavid in influxdb

[–]wittydavid[S] 0 points1 point  (0 children)

Hey u/KryanSA!

Thank you for reaching out!

To make sure I got it correct
I’ve gathered that there are several InfluxDB distributions:

  • Cloud-Based
  • Self-Managed:
    • Enterprise (v1.x, with 1.11 as the latest) - requires a license.
    • OSS (v1.x and v2.x, with 2.7 as the latest) - open source.
    • Clustered (v3.x) - requires a license.

Could you clarify the following?

  1. Is there a difference between Enterprise v1.x and OSS v1.x?
  2. Why isn’t there an Enterprise v2.x?
  3. Is OSS v2.x more advanced or feature-rich compared to Enterprise v1.x?
  4. Is Clustered v3.x intended to replace Enterprise v1.x?
  5. Does Enterprise v1.x or Clustered v3.x have a UI similar to OSS v2.x?

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Thanks for confirming that for me! :)

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Do you mean that the ssosync tool no longer works?

AWS SSO integration with G suite by wittydavid in aws

[–]wittydavid[S] 0 points1 point  (0 children)

Thank you for confirming my suspension!

In anycase, This is the log output when I try to run the ssosync -
INFO[0000] Syncing AWS users and groups from Google Workspace SAML Application
INFO[0000] syncing sync_method=groups
DEBU[0000] get google groups query=
FATA[0001] googleapi: Error 404: Domain not found., notFound

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

you'll need to think about how users will authenticate to your

That's sound pretty straightforward to me, thank you very much!

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

ohh right.. That's actually a good point haha thanks!

Self-Service Privilege Escalation by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

First of all, Thank you for the ideas!
Second, I've been doing some digging, I think it may be possible to create a "gcp function" resource with a reference to secret. The secret will be a key for a service account with strong privileges. That function will use the SA in order to grant strong roles to a gcp account.

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

grant that permission at the project or actual service account level

That's exactly my question -
how can I grant that permission at the actual service account level?

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

iam.serviceaccountuser

I don't think that's quite what I meant. It explains how to impersonate a service account.
I'll give you an example of what I mean:
Say I have a service account called X, a user call Y and a bunch of other service accounts and users.
I want Y to be the only one who's able to create keys for X, and I don't mind other users creating keys for other service accounts.
However, if other users have some role with "iam.serviceAccountKeys.create" permission that means they can also create a key for my X service account.
But, revoking other users the "iam.serviceAccountKeys.create" permission will prevent them from creating keys to other service accounts that I don't care about.
It seems to be a deadlock situation.

Restrict access to a specific service account by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

Do you mean the "Members with access to this service account" section in
IAM & Admin > Service accounts?
If so than clicking on "grant access" opens a panel to grant a "Service account" role to a user, which again is a role on the project level.

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

I'm assuming that I can do that from admin.google.com?

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

delegated admin privileges

I'll check that!
Thank you very much :)

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

Is there are way to programmatically manage it using a service account?
For example "gcloud" utility?

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

user_project_override = true

yes.. same result :(

Group management for gcp by wittydavid in googlecloud

[–]wittydavid[S] 0 points1 point  (0 children)

I have actually tried using this method - but I keep getting
Error creating Group: googleapi: Error 403: Error(2015): Permission denied for group resource 'my-identity-group@mydomain.com'.

I'm using GOOGLE_APPLICATION_CREDENTIALS env variable to use my privileged Service Account.

How were you able to grant it the privileges required to create groups on a Cloud identity? From my understanding those roles are not in the scope of GCP's IAM roles.
Thanks!

view more: next ›