Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
b
blue-leather-96987
11/16/2022, 4:41 AMRunning into a weird permission issue, I am authenticated with an account that has the Owner permission for the project. I know I can manually create this resource from GCP's console. When I try to run this from pulumi I get a 403. I know for a fact the service account listed exists too. This is the first time I have seen this error actually
* Error creating Job: googleapi: Error 403: The principal (user or service account) lacks IAM permission "iam.serviceAccounts.actAs" for the resource "<mailto:yyyy@xxxx.iam.gserviceaccount.com|yyyy@xxxx.iam.gserviceaccount.com>" (or the resource may not exist).In the service account the account I am logged in is given access due to the "Owner" role as well
s
straight-arm-50771
11/16/2022, 1:55 PMI ran into a similar issue, you can see some of it here from 11/9. What I found is that the project the service account (SA) is from receives the resource calls. I had to go an add some basic permissions as well as enable a host of apis in the SA's project for it to manipulate resources in the target project. I suspect this isn't a Pulumi-ism, but from the GCP-Go API itself...or even further back-end.
b
blue-leather-96987
11/17/2022, 4:14 AMSo to clarify/understand a bit better, there's 3 things here:
Service account used by the scheduler (within the same project, same as the one for the Cloud Run instance called)
Principal who is running the changes (a user account, with Owner permission)
did you use a SA from a different project? I know I've used my exact set up to set up a scheduler before as well, hence the confusion.
g
gorgeous-country-43026
11/17/2022, 8:19 AMI am facing a similar issue but with
gcloudI wonder if there is a bug in GCP IAM right now. My kubernetes instance is also not able to do things due to IAM issues, stuff it definitely should be able to do
Basically, my k8s was able to create an ingress which in turn created a cloud LB. Now it is not able to modify or delete it
And myself I am not able to execute things from command line
Well, this explains at least the original problem I have... But this doesn't make any sense how this could actually be? I mean, that is the control plane service account that GCP creates automatically for GKE. It definitely should have Kubernetes Engine Service Agent role
This states the service agent should have that role
Something fishy is going on in GCP IAM right now
I've been fighting with these issues the whole day and it looks like that for some reason IAM settings do not get applied if done over gcp APIs
This must be the core reason why also newly created GKS gets into a wonky situation
Google must be aware of this already
b
blue-leather-96987
11/17/2022, 1:59 PMIt's been happening for a few days now, it's strange
g
gorgeous-country-43026
11/17/2022, 3:13 PMMore than strange, this is a pretty major issue
I wonder where I could report this
b
blue-leather-96987
11/17/2022, 4:34 PMYeah this has been causing some headache, but I haven't tried the
gcloudg
gorgeous-country-43026
11/21/2022, 1:25 PMhave you found a solution to this @blue-leather-96987?
I just noticed another place where I have executed pulumi without issues but application execution is breaking due to missing IAM permissions which pulumi should have applied. And which I have applied (with this exact code) without issues earlier to lower environment
This is breaking my confidence in pulumi+gcp combination which is not good
This is a rather complex set of IAM permissions which are now missing
b
blue-leather-96987
11/21/2022, 3:25 PMNothing yet, I've been knee deep in otheer problems but desperately need to get back into this
g
gorgeous-country-43026
11/21/2022, 3:25 PMOpened a wider discussion, please see https://pulumi-community.slack.com/archives/C84L4E3N1/p1669040007149249
I'm creating a minimal repro case and submitting an issue
b
blue-leather-96987
11/21/2022, 3:27 PMI wonder if the two issues are related. The one you are having now is applying IAM bindings, but the previous issue was executing given certain IAM bindings
g
gorgeous-country-43026
11/21/2022, 3:28 PMRight. My issue has been IAM bindings all the time. But it took some time to pin down
Those just do not get applied at all
b
blue-leather-96987
11/21/2022, 3:29 PMYeah, that is a big issue, maybe the underlying cause is the saame, but I won't hold out hope for that since they seem quite different. IAM has been plaguing me all over recently though
g
gorgeous-country-43026
11/21/2022, 3:31 PMThis makes Pulumi practically unusable
All the sudden