This message was deleted.
# google-clouds
sparse-intern-71089
12/26/2020, 12:32 PMThis message was deleted.
c
creamy-engine-1851
12/28/2020, 9:35 AMJust by having the owner role it should work, also Create Service Account role has the
iam.serviceAccounts.createpulumi upgcloud config configurations lista
astonishing-lifeguard-39886
12/29/2020, 10:15 AMThanks for your reply @creamy-engine-1851
I’m very sure authentications are setup correctly.
gcloud config configurations list Copy code
curl -X POST \ ─╯
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d '{ "accountId": "test-sa-name", "serviceAccount": { "description": "sa-description", "displayName": "sa-display-name" } }' \
<https://iam.googleapis.com/v1/projects/><target-project>/serviceAccountastonishing-lifeguard-39886
12/29/2020, 10:21 AMFor the credentials being used I followed this one https://www.pulumi.com/docs/intro/cloud-providers/gcp/service-account/
So, running pulumi non-interactive and exported
Copy code
GOOGLE_CREDENTIALS Copy code
debug: Authenticating using configured Google JSON 'credentials'...
debug: -- Scopes: [<https://www.googleapis.com/auth/compute> <https://www.googleapis.com/auth/cloud-platform> <https://www.googleapis.com/auth/cloud-identity> <https://www.googleapis.com/auth/ndev.clouddns.readwrite> <https://www.googleapis.com/auth/devstorage.full_control> <https://www.googleapis.com/auth/userinfo.email>]
debug: Instantiating Google Cloud IAM client for path <https://iam.googleapis.com/>
debug: Retry Transport: starting RoundTrip retry loop
debug: Retry Transport: request attempt 0
debug: Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 403 with body: HTTP/1.1 403 Forbidden
debug: Connection: close
debug: Transfer-Encoding: chunked
debug: Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
debug: Cache-Control: private
debug: Content-Type: application/json; charset=UTF-8
debug: Date: Tue, 29 Dec 2020 10:07:35 GMT
debug: Server: ESF
debug: Vary: Origin
debug: Vary: X-Origin
debug: Vary: Referer
debug: X-Content-Type-Options: nosniff
debug: X-Frame-Options: SAMEORIGIN
debug: X-Xss-Protection: 0
debug:
debug: 1c9
debug: {
debug: "error": {
debug: "code": 403,
debug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug: "errors": [
debug: {
debug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug: "domain": "global",
debug: "reason": "forbidden"
debug: }
debug: ],
debug: "status": "PERMISSION_DENIED"
debug: }
debug: }
debug:
debug: 0
debug:
debug: Retry Transport: Returning after 1 attempts
error: update failedInstantiating Google Cloud IAM client for pathastonishing-lifeguard-39886
12/29/2020, 10:23 AMOne additional question. Logs say
Copy code
debug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project><my-project>.astonishing-lifeguard-39886
12/30/2020, 8:49 AMI nailed it @creamy-engine-1851: Indeed, when creating the service account using
Copy code
account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
Project: pulumi.String(ctx.Project()),
AccountId: pulumi.String("new-account"),
Description: pulumi.String("A new service account"),
DisplayName: pulumi.String("A new service account"),
}) Copy code
Project: pulumi.String(ctx.Project())Project: pulumi.String(gcpConf.GetProject(a.ctx)),c
creamy-engine-1851
12/30/2020, 9:49 AMFunny how obvious the problem was now when you found it 😄 Went past me too
3 Views