Running into a weird permission issue, I am authen...
# google-cloud
b
Running into a weird permission issue, I am authenticated with an account that has the Owner permission for the project. I know I can manually create this resource from GCP's console. When I try to run this from pulumi I get a 403. I know for a fact the service account listed exists too. This is the first time I have seen this error actually
Copy code
* Error creating Job: googleapi: Error 403: The principal (user or service account) lacks IAM permission "iam.serviceAccounts.actAs" for the resource "<mailto:yyyy@xxxx.iam.gserviceaccount.com|yyyy@xxxx.iam.gserviceaccount.com>" (or the resource may not exist).
In the service account the account I am logged in is given access due to the "Owner" role as well
s
I ran into a similar issue, you can see some of it here from 11/9. What I found is that the project the service account (SA) is from receives the resource calls. I had to go an add some basic permissions as well as enable a host of apis in the SA's project for it to manipulate resources in the target project. I suspect this isn't a Pulumi-ism, but from the GCP-Go API itself...or even further back-end.
b
So to clarify/understand a bit better, there's 3 things here: Service account used by the scheduler (within the same project, same as the one for the Cloud Run instance called) Principal who is running the changes (a user account, with Owner permission) did you use a SA from a different project? I know I've used my exact set up to set up a scheduler before as well, hence the confusion.
g
I am facing a similar issue but with
gcloud
. I have triple checked I have the necessary permissions it is saying I should have but no
I wonder if there is a bug in GCP IAM right now. My kubernetes instance is also not able to do things due to IAM issues, stuff it definitely should be able to do
Basically, my k8s was able to create an ingress which in turn created a cloud LB. Now it is not able to modify or delete it
And myself I am not able to execute things from command line
Well, this explains at least the original problem I have... But this doesn't make any sense how this could actually be? I mean, that is the control plane service account that GCP creates automatically for GKE. It definitely should have Kubernetes Engine Service Agent role
This states the service agent should have that role
Something fishy is going on in GCP IAM right now
I've been fighting with these issues the whole day and it looks like that for some reason IAM settings do not get applied if done over gcp APIs
This must be the core reason why also newly created GKS gets into a wonky situation
Google must be aware of this already
b
It's been happening for a few days now, it's strange
g
More than strange, this is a pretty major issue
I wonder where I could report this
b
Yeah this has been causing some headache, but I haven't tried the
gcloud
command itself yet
g
have you found a solution to this @blue-leather-96987?
I just noticed another place where I have executed pulumi without issues but application execution is breaking due to missing IAM permissions which pulumi should have applied. And which I have applied (with this exact code) without issues earlier to lower environment
This is breaking my confidence in pulumi+gcp combination which is not good
This is a rather complex set of IAM permissions which are now missing
b
Nothing yet, I've been knee deep in otheer problems but desperately need to get back into this
g
I'm creating a minimal repro case and submitting an issue
b
I wonder if the two issues are related. The one you are having now is applying IAM bindings, but the previous issue was executing given certain IAM bindings
g
Right. My issue has been IAM bindings all the time. But it took some time to pin down
Those just do not get applied at all
b
Yeah, that is a big issue, maybe the underlying cause is the saame, but I won't hold out hope for that since they seem quite different. IAM has been plaguing me all over recently though
g
This makes Pulumi practically unusable
All the sudden