I have multiple projects in my GCP.
So, for Project A I have created a service account and I am using this service account for Project B using IAM roles and creating various infrastructures.
I am creating these resources using terraform scripts.
As terraform needs service account credentials, I have generated the same key ring JSON file from the Project A and provide in the terraform variable.
The issues occurs when I am creating a Cloud Build Trigger in Project B using terraform, it says it doesn't have enough permissions to create the same, but I have provided all the necessary permissons to do so.
The weird thing what I found that, on the terraform error, it points out to the Project A instead of Project B and i.e. why I am experiencing this error.
The service account key contains project id as well as the the service account name, which in my case is Project A, and that's what creating the issue here.
So, is there any solution for the same, so either in any way I can replace the values in JSON file with the values provided in the scripts.
Related
I'm trying to create a GKE Cluster through Terraform. Facing an issue w.r.t service accounts. In our enterprise, service accounts to be used by Terraform are created in a project svc-accnts which resides in a folder named prod.
I'm trying to create the GKE cluster in a different folder which is Dev and the project name is apigw. Thro Terraform, when I use a service account with the necessary permissions reside in the project apigw, it works fine.
But when I try to use a service account with the same permissions where the service account resides in a different folder, getting this error
Error: googleapi: Error 403: Kubernetes Engine API has not been used in project 8075178406 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=8075178406 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
where 8075178406 is the project number of svc-accnts
Why does it try to enable the API in svc-accnts when the GKE cluster is created in apigw. Are service accounts not meant to used across folders?
Thanks.
The error you provide is not about permissions of the service account. Maybe you did not change the project in the provider? Remember, you can have multiple providers of the same type (google) that point to different projects. Some code example would provide more information.
See:
https://medium.com/scalereal/how-to-use-multiple-aws-providers-in-a-terraform-project-672da074c3eb (this is for AWS, but same idea)
https://www.terraform.io/language/providers/configuration
Looks like this is a known issue and happens through gcloud cli as well.
https://issuetracker.google.com/180053712
The workaround is to enable the Kubernetes Engine API on the project(svc-accnts) and it works fine. I was hesitant to do that as I thought this might create the resources in the project.
want to create infra in GCP using terraform whenever any new project create in ORG. I want to create only one Service Account and using that SA want to create infra for any future projects as well, I want to automate it using bitbucket pipeline.
Tried to resolve this by giving the org admin access to SA but its not working.
Is there any way for this ?
The Organization Administrator can do a lot of things but related to the administering the organization and not necessarily to manage resources like projects, VMs, etc.
For example, if you want the SA to be able to create projects you need the Project Creator role. Of course you want to add the necessary roles depending on what resources you want to manage.
In addition, I don't recommend to use the "All Mighty" Owner to manage your resources; instead use just the necessary ones (Read Least privilege)
I'd suggest to first read the documentation and understand the purpose of every GCP role.
How to Authorised all projects in GCP with single GCP SA for terraform
That is not possible. Each time a new project is created IAM bindings must be added to the project for the service account. Service accounts do not inherit rights.
I am currently trying to use a service account that is already created in one project and use it again in a different project. We have cloud function running in a project B which needs to be invoked from a service account in project A. Is there a terraform resource we can use to define permissions cross project ? Thanks for your help.
Let me know if you have more questions
I cannot understand the rationale behind prohibiting a user that has no organisation to create new google cloud projects with terraform.
Indeed, if I use gcloud, I am able to create new projects and I can also do that using the web console.
As mentioned in the documentation:
The user or service account that is running Terraform when creating a google_project resource must have roles/resourcemanager.projectCreator on the specified organization.
The problem with roles/resourcemanager.projectCreator is, that it's an organization role - not project role. Therefore without organization one cannot get this role.
The ability to do it using the console but not through the official Terraform way is strange indeed.
But, it seems that there's a workaround, that will just require you to provide billing account and will enable you creating new project - by using the project module of Google's official cloud-foundation-fabric.
Basic example:
module "project" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/project?ref=v19.0.0"
billing_account = "your-billing-account"
name = "your-project-name"
services = [
"container.googleapis.com",
]
}
It might take some time (took me about 3.5 minutes), but did the job without creating organization.
I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations