Bug Description
In gem4gov-cli/auth.py, check_roles() verifies the operator's IAM by calling projects.getIamPolicy, extracting only direct user:<email> members from the returned bindings, and comparing the bound role NAMES against a hardcoded list — roles/discoveryengine.admin, roles/aiplatform.admin, roles/serviceusage.serviceUsageAdmin, roles/storage.admin, roles/bigquery.admin. This conflates role assignment with effective permission, so it emits a false "You are missing the following required roles" warning for any operator who actually HAS the permissions but not those exact named bindings: a user with roles/owner (which grants them all), a user with a custom role that bundles the permissions, or a user who holds the roles via GROUP membership (only direct user: bindings are matched — group: and inherited/ancestor bindings are ignored). onboard then prints the missing-roles list and asks "Would you like to continue the Onboarding process anyway? [y/N]". The warning is benign (it does not block, and the operation later succeeds because the permissions are in fact present) but it misleads the operator into thinking their environment is misconfigured.
Environment and Deployment Context
- Stellar Engine Version/Commit:
main (gem4gov-cli/auth.py check_roles, gem4gov.py onboard)
- Deployment Type:
- Affected Component:
blueprints/fedramp-high/gemini-enterprise/gem4gov-cli/auth.py — check_roles() (getIamPolicy binding-scan of direct user: members vs a hardcoded required_roles list); called from gem4gov.py onboard().
Steps to Reproduce
- As an operator who holds
roles/owner on the project (or the required permissions via a custom role, or via a group) but does NOT have the five named roles bound directly to user:<email>, run gem4gov onboard.
- At the IAM role check, onboard prints "You are missing the following required roles:" and lists all five, then asks whether to continue anyway.
- Answer
y; onboarding proceeds and succeeds — confirming the operator had the effective permissions all along, so the warning was false.
Expected Behavior
check_roles() should verify the operator's EFFECTIVE permissions — e.g. projects.testIamPermissions with the specific permissions onboarding needs — so that Owner / custom-role / group-inherited operators pass silently, and a warning is emitted only when an effective permission is genuinely absent.
Actual Behavior
A false "missing roles" warning fires for any Owner / custom-role / group-based operator, on every run, even though onboarding then succeeds — training operators to ignore a check that could one day be real.
Relevant Logs and Errors
You are missing the following required roles:
- roles/discoveryengine.admin
- roles/aiplatform.admin
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/bigquery.admin
Please grant your user these IAM roles OR confirm that your current set of roles gives you the same permissions that make up these missing roles (i.e. Owner).
Would you like to continue the Onboarding process anyway? [y/N]:
Additional Context
Same class as the other "cries wolf" false-signal issues (#133/#134/#135). The fix is localized to check_roles: replace the getIamPolicy binding-scan with a projects.testIamPermissions call over the specific permissions onboarding needs (the IAM API resolves Owner, custom roles, group inheritance, and deny policies server-side), and warn only on permissions that come back missing — optionally still suggesting "grant roles/X" as the remedy hint. No new dependencies (same googleapiclient); testIamPermissions accepts up to 100 permissions per call.
Bug Description
In
gem4gov-cli/auth.py,check_roles()verifies the operator's IAM by callingprojects.getIamPolicy, extracting only directuser:<email>members from the returned bindings, and comparing the bound role NAMES against a hardcoded list —roles/discoveryengine.admin,roles/aiplatform.admin,roles/serviceusage.serviceUsageAdmin,roles/storage.admin,roles/bigquery.admin. This conflates role assignment with effective permission, so it emits a false "You are missing the following required roles" warning for any operator who actually HAS the permissions but not those exact named bindings: a user withroles/owner(which grants them all), a user with a custom role that bundles the permissions, or a user who holds the roles via GROUP membership (only directuser:bindings are matched —group:and inherited/ancestor bindings are ignored). onboard then prints the missing-roles list and asks "Would you like to continue the Onboarding process anyway? [y/N]". The warning is benign (it does not block, and the operation later succeeds because the permissions are in fact present) but it misleads the operator into thinking their environment is misconfigured.Environment and Deployment Context
main(gem4gov-cli/auth.pycheck_roles, gem4gov.pyonboard)blueprints/fedramp-high/gemini-enterprise/gem4gov-cli/auth.py—check_roles()(getIamPolicy binding-scan of directuser:members vs a hardcodedrequired_roleslist); called fromgem4gov.pyonboard().Steps to Reproduce
roles/owneron the project (or the required permissions via a custom role, or via a group) but does NOT have the five named roles bound directly touser:<email>, rungem4gov onboard.y; onboarding proceeds and succeeds — confirming the operator had the effective permissions all along, so the warning was false.Expected Behavior
check_roles()should verify the operator's EFFECTIVE permissions — e.g.projects.testIamPermissionswith the specific permissions onboarding needs — so that Owner / custom-role / group-inherited operators pass silently, and a warning is emitted only when an effective permission is genuinely absent.Actual Behavior
A false "missing roles" warning fires for any Owner / custom-role / group-based operator, on every run, even though onboarding then succeeds — training operators to ignore a check that could one day be real.
Relevant Logs and Errors
Additional Context
Same class as the other "cries wolf" false-signal issues (#133/#134/#135). The fix is localized to
check_roles: replace thegetIamPolicybinding-scan with aprojects.testIamPermissionscall over the specific permissions onboarding needs (the IAM API resolves Owner, custom roles, group inheritance, and deny policies server-side), and warn only on permissions that come back missing — optionally still suggesting "grantroles/X" as the remedy hint. No new dependencies (samegoogleapiclient); testIamPermissions accepts up to 100 permissions per call.