Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Request missing permissions

This document describes how you can request missing permissions when you encounter a permission error message.

If you don't have permission to modify access-related policies in your organization, you must send an administrator an access request using the context from the error message. You can't resolve the permission errors on your own.

You can request access in the following ways:

Request the required permissions. This resolution is effective for all types of permission errors.
Request a role with the required permissions. This resolution is only effective if the permission error is caused by your allow policies.

If you're using the Cloud de Confiance console and you have the permissions required to grant roles, then you can grant yourself the role directly from the error message instead of requesting it. For more information, see Self-grant a role in the Cloud de Confiance console.

Request the required permissions

To request the required permissions, do the following:

Console

In the list of missing permissions, click Request permissions.
In the Request Access panel, choose how you want to notify your administrator:
- If your organization supports Essential Contacts and allows auto-generated access request emails, then you can send an auto-generated email to your organization's technical Essential Contact. To send this email, do the following:
  1. Select Send auto-generated email.
  2. Add any context about the request that you want to include.
  3. Click Send request.
- To copy the access request and paste it into your preferred request management system, do the following:
  1. If your organization supports Essential Contacts and allows auto-generated emails but you want to send the notification manually, select Notify manually.
  2. Add any context about the request that you want to include.
  3. Click Copy message.
  4. Paste the request into your preferred request management system.
  Your administrator receives your access request, along with any additional context that you provided.

gcloud

Copy the list of missing permissions from the error message, then use your preferred request management system to ask an administrator to give you these permissions.

REST

Copy the list of missing permissions from the error message, then use your preferred request management system to ask an administrator to give you these permissions.

Request a role

If the permission error is caused by an allow policy, then you can request that an administrator grant you a role with the required permissions to resolve the error.

If the error is caused by a different policy type or if you aren't sure which policy type is causing the error, then request the required permissions instead.

Console

In the Request a specific role section, review the list of recommended roles and choose the one that you want to request. You can click the roles to view more details about them. This section is only visible if the permission error is caused by an allow policy.

Note: The list of roles in the error message isn't comprehensive—in most cases, there are other roles that include the required permissions. However, on the error message page, you can only request roles that are listed in the Request a specific role section.
Click the role that you've chosen, then click Request role.

Note: If you have the permissions required to grant roles, then the Cloud de Confiance console displays a Grant role button instead of a Request access button. In this case, you can click Grant role to grant yourself the role and resolve the permission error.
In the Request Access panel, choose one of the options for notifying your administrator:
- If your organization supports Essential Contacts and allows auto-generated access request emails, then you can send an auto-generated email to your organization's technical Essential Contact. To send this email, do the following:
  1. Select Send auto-generated email.
  2. Add any context about the request that you want to include.
  3. Click Send request.
- To copy the access request and paste it into your preferred request management system, do the following:
  1. If your organization supports Essential Contacts and allows auto-generated emails but you want to send the notification manually, select Notify manually.
  2. Add any context about the request that you want to include.
  3. Click Copy message.
  4. Paste the request into your preferred request management system.
Your administrator receives your access request, along with any additional context that you provided.

gcloud

Identify an IAM role that contains the missing permissions.

To see all of the roles that a given permission is included in, search for the permission in the IAM roles and permissions index, then click the permission name.

If no predefined roles match your use case, then you can create a custom role instead.
Use your preferred request management system to request that an administrator grant you the role.

REST

Identify an IAM role that contains the missing permissions.

To see all of the roles that a given permission is included in, search for the permission in the IAM roles and permissions index, then click the permission name.

If no predefined roles match your use case, then you can create a custom role instead.
Use your preferred request management system to request that an administrator grant you the role.

Self-grant a role in the Cloud de Confiance console

If you encounter a permission error in the Cloud de Confiance console and you have the permissions required to grant roles, then you can grant yourself a role directly from the permission error message:

In the Select a role to grant section, review the list of recommended roles and choose the one that you want to request. You can click the roles to view more details about them.

Note: The list of roles in the error message isn't comprehensive—in most cases, there are other roles that include the required permissions. However, on the error message page, you can only grant roles that are listed in the Select a role to grant section. If you want to grant a different role, then follow the instructions in Grant or revoke a single IAM role to grant the role.
To grant the role that you've chosen, click the role, then click Grant access.

What's next

If you have administrative permissions and need to resolve a user access request, see Resolve permission errors.