Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
l
lemon-wire-69305
02/17/2022, 2:29 AMHi all,
I'm creating a service account where I need certain permissions set to allow my compute engine instance to be able to write to a storage bucket.
In order to do that, I figured I'd need to create a custom role and assign that to the service account.
So far I've got:
const org = gcp.organizations.getOrganization({
domain: "my-org-name",
});
const myRole = new gcp.organizations.IAMCustomRole("role-xyz", {
description: "xyz",
orgId: org.then(o => o.orgId),
permissions: [
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list",
"storage.objects.update",
],
roleId: "my-role-id",
title: "My New Role",
});pulumi up* Unable to verify whether custom org role organizations/<my-org-id>/roles/my-role-id already exists and must be undeleted: Error when reading or editing Custom Organization Role "organizations/<my-org-id>/roles/my-role-id": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequestI just saw on the terraform site that roleId cannot contain dash characters
-Error 403: You don't have permission to get the role at organizations/<my-org-id>/roles/<myRoleName>I fixed the permissions issue by making myself the owner of my organisation. Not sure what the role would include the relevant IAM permissions, but it's just me working on it, so no concerns there.
An update on Service Account permissions for anyone watching.
My understanding of roles, permissions and access to resources wasn't quite right.
Instead of adding a role to the service account, I ended up granting access via resource policies to allow the service account access to the things it needs.
Code looks like this:
const policyTopic = new gcp.pubsub.TopicIAMMember("policy-topic-abc", {
member: emailOfServiceAcct,
topic: myTopic.name,
role: "roles/pubsub.publisher",
});
const policyBucket = new gcp.storage.BucketIAMMember("policy-bucket-abc", {
member: emailOfServiceAcct,
bucket: myBucket.name,
role: "roles/storage.admin",
});