https://pulumi.com logo
#google-cloud
Title
# google-cloud
l

limited-rainbow-51650

02/27/2020, 7:43 PM
Getting started with GCP here. Via
gcloud auth login
I’m authenticated as
Organization Administrator
. I want to create a new
Project
with a linked
ServiceAccount
. At
pulumi up
, I get a permission error:
error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.
When I test my permissions here, logged in with the same account: https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions with:
Copy code
{
  "permissions": [
    "resourcemanager.projects.create"
  ]
}
I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?
s

stocky-island-3676

02/27/2020, 8:06 PM
@limited-rainbow-51650 That’s my current understanding how Pulumi authenticates to GCP: https://github.com/pulumi/docs/pull/2162/
👏🏼 1
l

limited-rainbow-51650

02/27/2020, 8:08 PM
That’s the last thing I executed and it still doesn’t work. Then it must be a true permission problem. Pfff… Cloud IAM at the organization level is not easy to debug.
s

stocky-island-3676

02/27/2020, 8:28 PM
l

limited-rainbow-51650

02/27/2020, 8:31 PM
@stocky-island-3676 no, I added the
roles/resourcemanager.projectCreator
role to my account for the time being. It seems that org admin doesn’t have that role.
But I will have to learn using a service account ASAP.
s

stocky-island-3676

02/27/2020, 8:34 PM
I added the
roles/resourcemanager.projectCreator
role to my account for the time being. It seems that org admin doesn’t have that role.
Aha. Was the https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions “200 OK” before adding that role to your account, as well?
l

limited-rainbow-51650

02/27/2020, 8:34 PM
Strangely yes.
s

stocky-island-3676

02/27/2020, 8:35 PM
Aha. So, does the service-account also have that additional role?
l

limited-rainbow-51650

02/27/2020, 8:37 PM
@stocky-island-3676 I misunderstood the API explorer. For
testIamPermisions
, you pass a list of permissions, and the call only returns the list of permissions you are granted. In the first call, I got
{}
😉
s

stocky-island-3676

02/27/2020, 8:44 PM
Aha 🙂
2 Views