Skip to content

[Bug] gem4gov check_roles reports false "missing roles" for Owner / custom / group-inherited permissions — check effective permissions with testIamPermissions #143

Description

@JohnHales

Bug Description

In gem4gov-cli/auth.py, check_roles() verifies the operator's IAM by calling projects.getIamPolicy, extracting only direct user:<email> members from the returned bindings, and comparing the bound role NAMES against a hardcoded list — roles/discoveryengine.admin, roles/aiplatform.admin, roles/serviceusage.serviceUsageAdmin, roles/storage.admin, roles/bigquery.admin. This conflates role assignment with effective permission, so it emits a false "You are missing the following required roles" warning for any operator who actually HAS the permissions but not those exact named bindings: a user with roles/owner (which grants them all), a user with a custom role that bundles the permissions, or a user who holds the roles via GROUP membership (only direct user: bindings are matched — group: and inherited/ancestor bindings are ignored). onboard then prints the missing-roles list and asks "Would you like to continue the Onboarding process anyway? [y/N]". The warning is benign (it does not block, and the operation later succeeds because the permissions are in fact present) but it misleads the operator into thinking their environment is misconfigured.

Environment and Deployment Context

  • Stellar Engine Version/Commit: main (gem4gov-cli/auth.py check_roles, gem4gov.py onboard)
  • Deployment Type:
    • US Region Restricted (e.g., Access Policy constraint)
    • FedRAMP Medium
    • FedRAMP High
    • DoD IL4
    • DoD IL5
    • Stand-alone / Custom
  • Affected Component: blueprints/fedramp-high/gemini-enterprise/gem4gov-cli/auth.pycheck_roles() (getIamPolicy binding-scan of direct user: members vs a hardcoded required_roles list); called from gem4gov.py onboard().

Steps to Reproduce

  1. As an operator who holds roles/owner on the project (or the required permissions via a custom role, or via a group) but does NOT have the five named roles bound directly to user:<email>, run gem4gov onboard.
  2. At the IAM role check, onboard prints "You are missing the following required roles:" and lists all five, then asks whether to continue anyway.
  3. Answer y; onboarding proceeds and succeeds — confirming the operator had the effective permissions all along, so the warning was false.

Expected Behavior

check_roles() should verify the operator's EFFECTIVE permissions — e.g. projects.testIamPermissions with the specific permissions onboarding needs — so that Owner / custom-role / group-inherited operators pass silently, and a warning is emitted only when an effective permission is genuinely absent.

Actual Behavior

A false "missing roles" warning fires for any Owner / custom-role / group-based operator, on every run, even though onboarding then succeeds — training operators to ignore a check that could one day be real.

Relevant Logs and Errors

You are missing the following required roles:
- roles/discoveryengine.admin
- roles/aiplatform.admin
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/bigquery.admin
Please grant your user these IAM roles OR confirm that your current set of roles gives you the same permissions that make up these missing roles (i.e. Owner).
Would you like to continue the Onboarding process anyway? [y/N]:

Additional Context

Same class as the other "cries wolf" false-signal issues (#133/#134/#135). The fix is localized to check_roles: replace the getIamPolicy binding-scan with a projects.testIamPermissions call over the specific permissions onboarding needs (the IAM API resolves Owner, custom roles, group inheritance, and deny policies server-side), and warn only on permissions that come back missing — optionally still suggesting "grant roles/X" as the remedy hint. No new dependencies (same googleapiclient); testIamPermissions accepts up to 100 permissions per call.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Level of Effort - LowQuick, well-defined tasks with no unknowns; takes a few hours up to one day to completeLevel of Effort - MediumModerate task requiring thought and testing; typically takes a couple of days to a weekbugSomething isn't workinggemini for governmentGemini for Government (G4G) related

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions