astonishing-lifeguard-39886
12/26/2020, 12:32 PMaccount, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
Project: pulumi.String(ctx.Project()),
AccountId: pulumi.String("new-account"),
Description: pulumi.String("A new service account"),
DisplayName: pulumi.String("A new service account"),
})
Doing this, Pulumi tells me
Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project ...
For the service account I’m using to create another service account I granted Roles
“Create Service Accounts”
“Owner”
“Project IAM Admin”
What’s wrong with that?
Using GCP REST API (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest) works with that.
go.mod is
go 1.15
require (
<http://github.com/pulumi/pulumi-gcp/sdk/v4|github.com/pulumi/pulumi-gcp/sdk/v4> v4.6.0
<http://github.com/pulumi/pulumi/sdk/v2|github.com/pulumi/pulumi/sdk/v2> v2.16.1
)
Thank you in advance.creamy-engine-1851
12/28/2020, 9:35 AMiam.serviceAccounts.create
permission. I would look at:
1. Am I actually using that service account when I run pulumi up
(run gcloud config configurations list
)
2. Am I targeting the correct GCP project that this service account exist, if you have multiple it might be a mix up between projects.
3. Have I done the gcloud auth routine with choosen account described here: https://www.pulumi.com/docs/intro/cloud-providers/gcp/setup/#google-cloud-platform-gcp-setup OR setup the GOOGLE_CREDENTIALS environment variable for the service accountastonishing-lifeguard-39886
12/29/2020, 10:15 AMgcloud config configurations list
shows the service account. When I’m creating the account using REST Api
curl -X POST \ ─╯
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d '{ "accountId": "test-sa-name", "serviceAccount": { "description": "sa-description", "displayName": "sa-display-name" } }' \
<https://iam.googleapis.com/v1/projects/><target-project>/serviceAccount
this works perfectlyGOOGLE_CREDENTIALS
as stated there.
Running it with the debug-flag and -v=100 says
debug: Authenticating using configured Google JSON 'credentials'...
debug: -- Scopes: [<https://www.googleapis.com/auth/compute> <https://www.googleapis.com/auth/cloud-platform> <https://www.googleapis.com/auth/cloud-identity> <https://www.googleapis.com/auth/ndev.clouddns.readwrite> <https://www.googleapis.com/auth/devstorage.full_control> <https://www.googleapis.com/auth/userinfo.email>]
debug: Instantiating Google Cloud IAM client for path <https://iam.googleapis.com/>
debug: Retry Transport: starting RoundTrip retry loop
debug: Retry Transport: request attempt 0
debug: Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 403 with body: HTTP/1.1 403 Forbidden
debug: Connection: close
debug: Transfer-Encoding: chunked
debug: Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
debug: Cache-Control: private
debug: Content-Type: application/json; charset=UTF-8
debug: Date: Tue, 29 Dec 2020 10:07:35 GMT
debug: Server: ESF
debug: Vary: Origin
debug: Vary: X-Origin
debug: Vary: Referer
debug: X-Content-Type-Options: nosniff
debug: X-Frame-Options: SAMEORIGIN
debug: X-Xss-Protection: 0
debug:
debug: 1c9
debug: {
debug: "error": {
debug: "code": 403,
debug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug: "errors": [
debug: {
debug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>.",
debug: "domain": "global",
debug: "reason": "forbidden"
debug: }
debug: ],
debug: "status": "PERMISSION_DENIED"
debug: }
debug: }
debug:
debug: 0
debug:
debug: Retry Transport: Returning after 1 attempts
error: update failed
Not sure what else to do now.
Can I debug that somehow? I was not able to find the code, that creates service accounts. I found that one https://github.com/pulumi/terraform-provider-google-beta/blob/8b4421722d6a09dc4cb97b446cff6b5fb4dd0438/google-beta/config.go#L376 derived from the
Instantiating Google Cloud IAM client for path
log statementdebug: "message": "Permission iam.serviceAccounts.create is required to perform this operation on project projects/<my-project>
where I replaced <my-project>.
The original value of the name of the pulumi project, not the name of the GCP Project. Is that right?account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
Project: pulumi.String(ctx.Project()),
AccountId: pulumi.String("new-account"),
Description: pulumi.String("A new service account"),
DisplayName: pulumi.String("A new service account"),
})
the statement
Project: pulumi.String(ctx.Project())
points to the name of pulumi project, not the GCP project. Supposed variant of this is
Project: pulumi.String(gcpConf.GetProject(a.ctx)),
creamy-engine-1851
12/30/2020, 9:49 AM