Getting started with GCP here. Via

gcloud auth login

I’m authenticated as

Organization Administrator

. I want to create a new

Project

with a linked

ServiceAccount

. At

pulumi up

, I get a permission error:

error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.

When I test my permissions here, logged in with the same account: https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions with:

{
  "permissions": [
    "resourcemanager.projects.create"
  ]
}

I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?

@limited-rainbow-51650 That’s my current understanding how Pulumi authenticates to GCP: https://github.com/pulumi/docs/pull/2162/

That’s the last thing I executed and it still doesn’t work. Then it must be a true permission problem. Pfff… Cloud IAM at the organization level is not easy to debug.

@limited-rainbow-51650 You’ve tried this service-account method? https://pulumi-community.slack.com/archives/CRFUR2DGB/p1582308605082300?thread_ts=1582306847.081600&cid=CRFUR2DGB

@stocky-island-3676 no, I added the

roles/resourcemanager.projectCreator

role to my account for the time being. It seems that org admin doesn’t have that role.

I added the

roles/resourcemanager.projectCreator

role to my account for the time being. It seems that org admin doesn’t have that role.

Aha. Was the https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions “200 OK” before adding that role to your account, as well?

Strangely yes.

Aha. So, does the service-account also have that additional role?

@stocky-island-3676 I misunderstood the API explorer. For

testIamPermisions

, you pass a list of permissions, and the call only returns the list of permissions you are granted. In the first call, I got

{}

😉

Aha 🙂