https://pulumi.com logo
Powered by
Title
a

astonishing-lifeguard-39886

12/26/2020, 12:32 PM
Hey all, I’m struggling with creating a gcp service account using another service account. I’m using serviceAccount package (golang) for creating another service account by 
account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
  Project: pulumi.String(ctx.Project()),
  AccountId:   pulumi.String("new-account"),
  Description: pulumi.String("A new service account"),
  DisplayName: pulumi.String("A new service account"),
})
Doing this, Pulumi tells me 
Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project ...
For the service account I’m using to create another service account I granted Roles “Create Service Accounts” “Owner” “Project IAM Admin” What’s wrong with that? Using GCP REST API (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest) works with that. go.mod is 
go 1.15

require (
	<http://github.com/pulumi/pulumi-gcp/sdk/v4|github.com/pulumi/pulumi-gcp/sdk/v4> v4.6.0
	<http://github.com/pulumi/pulumi/sdk/v2|github.com/pulumi/pulumi/sdk/v2> v2.16.1
)
Thank you in advance.
c

creamy-engine-1851

12/28/2020, 9:35 AM
Just by having the owner role it should work, also Create Service Account role has the 
iam.serviceAccounts.create
permission. I would look at: 1. Am I actually using that service account when I run 
pulumi up
(run 
gcloud config configurations list
) 2. Am I targeting the correct GCP project that this service account exist, if you have multiple it might be a mix up between projects. 3. Have I done the gcloud auth routine with choosen account described here: https://www.pulumi.com/docs/intro/cloud-providers/gcp/setup/#google-cloud-platform-gcp-setup OR setup the GOOGLE_CREDENTIALS environment variable for the service account
a

astonishing-lifeguard-39886

12/29/2020, 10:15 AM
Thanks for your reply @creamy-engine-1851 I’m very sure authentications are setup correctly. 
gcloud config configurations list
shows the service account. When I’m creating the account using REST Api 
curl -X POST \                                                                                                                                                                                                                                                                                                                                                                                    ─╯
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d '{ "accountId": "test-sa-name", "serviceAccount": { "description": "sa-description", "displayName": "sa-display-name" } }' \
<https://iam.googleapis.com/v1/projects/><target-project>/serviceAccount
this works perfectly
For the credentials being used I followed this one https://www.pulumi.com/docs/intro/cloud-providers/gcp/service-account/ So, running pulumi non-interactive and exported 
GOOGLE_CREDENTIALS
as stated there. Running it with the debug-flag and -v=100 says 
debug: Authenticating using configured Google JSON 'credentials'...
debug:   -- Scopes: [<https://www.googleapis.com/auth/compute> <https://www.googleapis.com/auth/cloud-platform> <https://www.googleapis.com/auth/cloud-identity> <https://www.googleapis.com/auth/ndev.clouddns.readwrite> <https://www.googleapis.com/auth/devstorage.full_control> <https://www.googleapis.com/auth/userinfo.email>]
debug: Instantiating Google Cloud IAM client for path <https://iam.googleapis.com/>
debug: Retry Transport: starting RoundTrip retry loop
debug: Retry Transport: request attempt 0
debug: Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 403 with body: HTTP/1.1 403 Forbidden
debug: Connection: close
debug: Transfer-Encoding: chunked
debug: Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
debug: Cache-Control: private
debug: Content-Type: application/json; charset=UTF-8
debug: Date: Tue, 29 Dec 2020 10:07:35 GMT
debug: Server: ESF
debug: Vary: Origin
debug: Vary: X-Origin
debug: Vary: Referer
debug: X-Content-Type-Options: nosniff
debug: X-Frame-Options: SAMEORIGIN
debug: X-Xss-Protection: 0
debug:
debug: 1c9
debug: {
debug:   "error": {
debug:     "code": 403,
debug:     "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug:     "errors": [
debug:       {
debug:         "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug:         "domain": "global",
debug:         "reason": "forbidden"
debug:       }
debug:     ],
debug:     "status": "PERMISSION_DENIED"
debug:   }
debug: }
debug:
debug: 0
debug:
debug: Retry Transport: Returning after 1 attempts
error: update failed
Not sure what else to do now. Can I debug that somehow? I was not able to find the code, that creates service accounts. I found that one https://github.com/pulumi/terraform-provider-google-beta/blob/8b4421722d6a09dc4cb97b446cff6b5fb4dd0438/google-beta/config.go#L376 derived from the 
Instantiating Google Cloud IAM client for path
log statement
One additional question. Logs say 
debug:         "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>
where I replaced 
<my-project>.
The original value of the name of the pulumi project, not the name of the GCP Project. Is that right?
I nailed it @creamy-engine-1851: Indeed, when creating the service account using 
account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
  Project: pulumi.String(ctx.Project()),
  AccountId:   pulumi.String("new-account"),
  Description: pulumi.String("A new service account"),
  DisplayName: pulumi.String("A new service account"),
})
the statement 
Project: pulumi.String(ctx.Project())
points to the name of pulumi project, not the GCP project. Supposed variant of this is 
Project: pulumi.String(gcpConf.GetProject(a.ctx)),
c

creamy-engine-1851

12/30/2020, 9:49 AM
Funny how obvious the problem was now when you found it 😄 Went past me too
#google-cloudJoin Slack
Powered by