Hi all I m creating a service account where I need certain p Pulumi Community #google-cloud

Hi all, I'm creating a service account where I ne...

lemon-wire-69305

02/17/2022, 2:29 AM

Hi all, I'm creating a service account where I need certain permissions set to allow my compute engine instance to be able to write to a storage bucket. In order to do that, I figured I'd need to create a custom role and assign that to the service account. So far I've got:

Copy code

const org = gcp.organizations.getOrganization({
  domain: "my-org-name",
});

const myRole = new gcp.organizations.IAMCustomRole("role-xyz", {
  description: "xyz",
  orgId: org.then(o => o.orgId),
  permissions: [
    "storage.objects.create",
    "storage.objects.delete",
    "storage.objects.get",
    "storage.objects.list",
    "storage.objects.update",
  ],
  roleId: "my-role-id",
  title: "My New Role",
});

When I

pulumi up

I get the following error:

Copy code

* Unable to verify whether custom org role organizations/<my-org-id>/roles/my-role-id already exists and must be undeleted: Error when reading or editing Custom Organization Role "organizations/<my-org-id>/roles/my-role-id": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest

Any idea what's happening? The error message contains the correct org id, and I've checked in GCP Console and no role has been created. Thanks for your help!

lemon-wire-69305

02/17/2022, 5:50 AM

I just saw on the terraform site that roleId cannot contain dash characters

... I changed my roleId to be camel case and now getting a new error:

Copy code

Error 403: You don't have permission to get the role at organizations/<my-org-id>/roles/<myRoleName>

lemon-wire-69305

02/17/2022, 6:55 AM

I fixed the permissions issue by making myself the owner of my organisation. Not sure what the role would include the relevant IAM permissions, but it's just me working on it, so no concerns there.

lemon-wire-69305

02/23/2022, 11:20 PM

An update on Service Account permissions for anyone watching. My understanding of roles, permissions and access to resources wasn't quite right. Instead of adding a role to the service account, I ended up granting access via resource policies to allow the service account access to the things it needs. Code looks like this:

Copy code

const policyTopic = new gcp.pubsub.TopicIAMMember("policy-topic-abc", {
  member: emailOfServiceAcct,
  topic: myTopic.name,
  role: "roles/pubsub.publisher",
});

const policyBucket = new gcp.storage.BucketIAMMember("policy-bucket-abc", {
  member: emailOfServiceAcct,
  bucket: myBucket.name,
  role: "roles/storage.admin",
});

7 Views

Open in Slack

Previous Next