How to assign a role/permissions to a service account in GCP - google-cloud-platform

I am running a terraform script to automate the folder creation in GCP under Organization. I am using a service account to execute the terraform script. While running terraform apply, I get the following error message:
Error: Error creating folder 'prod' in 'organizations/xxxxxxxxxx': googleapi: Error 403: Request had insufficient authentication scopes.
Details:
[
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.resourcemanager.v3.Folders.CreateFolder",
"service": "cloudresourcemanager.googleapis.com"
},
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
}
]
More details:
Reason: insufficientPermissions, Message: Insufficient Permission
on main.tf line 10, in resource "google_folder" "prod":
10: resource "google_folder" "prod" {
enter image description here
I am seeking assistance to know how could I apply CreateFolder permission to my service account in GCP. Screenshot of the error message is also attached as a link in this post.
Thank You.

Related

"eksctl create cluster" command is not working

When executing this command,I get this error:
C:\WINDOWS\system32>eksctl create cluster --name eksctl-demo --profile myAdmin2
Error: checking AWS STS access – cannot get role ARN for current session: operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: i/o timeout
myAdmin2 IAM users credientials are set up as follows:
Credentials file:
[myAdmin2]
aws_access_key_id = ******************
aws_secret_access_key = ********************
config file:
[profile myAdmin2]
region = us-east-2
output = json
myAdmin2 has access to the console:
C:\WINDOWS\system32>aws iam list-users --profile myAdmin2
{
"Users": [
{
"Path": "/",
"UserName": "myAdmin",
"UserId": "AIDAYYPFV776ELVEJ5ZVQ",
"Arn": "arn:aws:iam::602313981948:user/myAdmin",
"CreateDate": "2022-09-30T19:08:08+00:00"
},
{
"Path": "/",
"UserName": "myAdmin2",
"UserId": "AIDAYYPFV776LEDK2PCCI",
"Arn": "arn:aws:iam::602313981948:user/myAdmin2",
"CreateDate": "2022-09-30T21:39:33+00:00"
}
]
}
I had problems working with myAdmin that's why I created a new IAM user called myAdmin2.
myAdmin2 is granted AdministratorAccess permission:
As shown in this image
aws cli version installed:
C:\WINDOWS\system32>aws --version
aws-cli/2.7.35 Python/3.9.11 Windows/10 exe/AMD64 prompt/off
My Env variables:
C:\WINDOWS\system32>set
AWS_ACCESS_KEY_ID= ***********the same as I have in credentials file
AWS_CONFIG_FILE=~/.aws/config
AWS_DEFAULT_PROFILE=myAdmin2
AWS_DEFAULT_REGION=us-east-2
AWS_PROFILE=myAdmin2
AWS_SECRET_ACCESS_KEY=****************the same as I have in credentials file
AWS_SHARED_CREDENTIALS_FILE=~/.aws/credentials
I think those are all the necessary things I have to mention. If someone can help, please. I can't move on with this error!!
It worked finally! everything was well configured, I just had to reboot my laptop and it resolved the issue!

Unathorized operation terraform(aws) in gitlab runner

I'm using aws sts assume-role-with-web-identity to run terraform from gitlab. I'm getting an error I can't find the missing IAM action for:
╷
│ Error: Error fetching Availability Zones: UnauthorizedOperation: You are not authorized to perform this operation.
│ status code: 403, request id: 43a2032d-1bdd-4957-add9-070d3c270343
│
│ with module.vpc.data.aws_availability_zones.available,
│ on modules/terraform-aws-vpc/private.tf line 1, in data "aws_availability_zones" "available":
│ 1: data "aws_availability_zones" "available" {
data source:
data "aws_availability_zones" "available" {
state = "available"
}
I've tried multiple variations of ec2 actions, even: "ec2:*" but the issue remains.
Solutions found online usually recommend admin privileges, but I'm hoping for a better solution
Iam policy:
statement {
actions = [
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:DescribeAvailabilityZones",
"ec2:CreateRouteTable",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:AssociateRouteTable",
"ec2:ModifyVpcAttribute",
"ec2:DescribeAvailabilityZones"
]
effect = "Allow"
resources = [
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*",
"arn:aws:ec2::${data.aws_caller_identity.current.account_id}:ipam-pool/*",
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:ipv6pool-ec2/*",
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:subnet/*",
"arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:vpc/*"
]
}
replacing resources with: "*" so this is causing the issue

Getting the following error when tried to deploy node js app on Google Cloud

This is my first time using Google Cloud and I tried to send it. As per the tutorial on YouTube, I have a app.yaml file which looks like this:
runtime: nodejs
env: flex
When I ran gcloud app deeply, it failed. In the terminal, there was an error, and it told me to go to this page for the full details, and here is what the page gave me:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
PS: I am not trying to do any google authentication on my website.
Here is what I got in my terminal, it is a bit messy:
Updating service [default] (this may take several minutes)...failed.
ERROR: (gcloud.app.deploy) Error Response: [13] Flex operation projects/turing-problems/regions/us-east1/operations/0cfe7722-014c-4834-b184-00b9e4961379 error [INTERNAL]: An internal error occurred while processing task /appengine-flex-v1/insert_flex_deployment/flex_create_resources>2020-07-24T16:34:33.630Z4931.jc.12: Deployment Manager operation turing-problems/operation-1595608474469-5ab328c52462a-0c83d4d8-c6c54fdd errors: [code: "RESOURCE_ERROR"
location: "/deployments/aef-default-20200724t123246/resources/aef-default-20200724t123246"
message: "{\"ResourceType\":\"compute.beta.regionAutoscaler\",\"ResourceErrorCode\":\"403\",\"ResourceErrorMessage\":{\"code\":403,\"message\":\"The caller does not have permission\",\"status\":\"PERMISSION_DENIED\",\"statusMessage\":\"Forbidden\",\"requestPath\":\"https://compute.googleapis.com/compute/beta/projects/turing-problems/regions/us-east1/autoscalers\",\"httpMethod\":\"POST\"}}"
]

Why can't Terraform list SQL users in GCP account?

Following examples laid out here - https://medium.com/#mudrii/google-gke-and-sql-with-terraform-294fb840619d
I have a basic Terraform file that creates a DB and a user:
resource "random_id" "id" {
byte_length = 4
prefix = "${local.resource_prefix}-"
}
resource "google_sql_database_instance" "postgres" {
name = random_id.id.hex
region = local.gcp_region
database_version = "POSTGRES_11"
settings {
availability_type = "ZONAL"
tier = "db-f1-micro"
disk_type = "PD_SSD"
disk_size = 10
disk_autoresize = true
ip_configuration {
authorized_networks {
value = "0.0.0.0/0"
}
require_ssl = false
ipv4_enabled = true
}
location_preference {
zone = local.subnet_public_1_az
}
backup_configuration {
# binary_log_enabled = true
enabled = true
start_time = "00:00"
}
}
}
resource "google_sql_user" "user" {
depends_on = [
google_sql_database_instance.postgres
]
instance = google_sql_database_instance.postgres.name
name = "*********"
password = "*********"
}
That seems to create the database with no problem, but when it goes to create a user for that DB it fails with a 403:
google_sql_database_instance.postgres: Still creating... [4m0s elapsed]
Error: Error, attempting to list users associated with instance foo-aac6b6f7: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
on postgres.tf line 6, in resource "google_sql_database_instance" "postgres":
6: resource "google_sql_database_instance" "postgres" {
Turning on verbose logging, the underlying error would appear to be the following:
GET /sql/v1beta4/projects/(project-id)/instances/foo-aac6b6f7/users?alt=json&prettyPrint=false HTTP/1.1
{
"error": {
"code": 403,
"message": "The client is not authorized to make this request.",
"errors": [
{
"message": "The client is not authorized to make this request.",
"domain": "global",
"reason": "notAuthorized"
}
]
}
}
I can't for the life of me figure out why I would get a permission denied here, or how to get it that permission. I tried the request from the command line using the same credential file and it seemed to work fine:
gcloud sql users list --instance foo-aac6b6f7 --credential-file-override ~/gcp.json
NAME HOST
*********
What's the special sauce? Is the service account I'm using with Terraform not allowed to make the request? Then why would it work from the command line? Is it just trying to add the users too soon after the DB is created? If so how should this work?
EDIT I removed everything other than the google_sql_database_instance, created a new service account and made sure it had project owner role.
I then followed the log with trace debugging on. It begins by successfully requesting a DB creation, and then begins to poll the request waiting for it to finish:
2020/06/11 18:28:50 [DEBUG] Waiting for state to become: [success]
...
GET /sql/v1beta4/projects/(project-id)/operations/(request-id)?alt=json&prettyPrint=false HTTP/1.1
...
HTTP/1.1 200 OK
...
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/(project-name)/instances/(db-name)",
"status": "RUNNING",
"user": "(service-account)#(project-name).iam.gserviceaccount.com",
"insertTime": "2020-06-11T22:26:46.845Z",
"startTime": "2020-06-11T22:26:47.141Z",
"operationType": "CREATE",
"name": "(request-id)",
"targetId": "(db-name)",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/(project-name)/operations/(request-id)",
"targetProject": "(project-name)"
}
It does that for a while until it gets a DONE state:
2020/06/11 18:30:43 [DEBUG] Got DONE while polling for operation (request-id)'s status
It then proceeds to look up the database, but that operation fails:
GET /sql/v1beta4/projects/(project-id)/instances/(db-name)?alt=json&prettyPrint=false HTTP/1.1
...
HTTP/1.1 404 Not Found
...
{
"error": {
"code": 404,
"message": "The Cloud SQL instance does not exist.",
"errors": [
{
"message": "The Cloud SQL instance does not exist.",
"domain": "global",
"reason": "instanceDoesNotExist"
}
]
}
}
So that's really the root error. It doesn't seem to actually fail on that request though, eventually reporting:
2020/06/11 18:30:44 [WARN] Removing SQL Database Instance "(db-name)" because it's gone
But it doesn't actually remove the DB (it's still there in the console), and Terraform keeps going, requesting users from the DB now:
GET /sql/v1beta4/projects/(project-id)/instances/(db-name)/users?alt=json&prettyPrint=false HTTP/1.1
...
{
"error": {
"code": 403,
"message": "The client is not authorized to make this request.",
"errors": [
{
"message": "The client is not authorized to make this request.",
"domain": "global",
"reason": "notAuthorized"
}
]
}
}
THIS is the error that's actually reported, but a whole mess happened before that actual error. So... Anyone know what's going on here? Why does the DB creation succeed, and then the lookup immediately fail? And why does Terraform keep going?

GCP endpoints: The caller does not have permission after requesting API key in query

Trying to use Google Cloud platform with a GKE deployed backend.
I have a swagger file for the endpoints that works fine when not using security.
I added the api key definition in the swagger file:
paths:
/create:
post:
...
security:
- api_key: []
securityDefinitions:
api_key:
type: "apiKey"
name: "key"
in: "query"
and now if I try to post on I get the expected
{
"code": 16,
"message": "Method doesn't allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}
Good, now I created an API key in the credential sections of GCP
I update the post request to include ?key=API_KEY and get the following error:
{
"code": 13,
"message": "\b#The caller does not have permission",
"details": [
{
"#type": "type.googleapis.com/google.rpc.DebugInfo",
"stackEntries": [],
"detail": "service_control"
}
]
}
I can't find any info about this error, does it mean that my API key has no right for this endpoint? If so how can I fix this?
Confirm that you have the required services enabled
gcloud services enable servicemanagement.googleapis.com
gcloud services enable servicecontrol.googleapis.com
gcloud services enable endpoints.googleapis.com
Also enable your Endpoint service gcloud services enable ENDPOINTS_SERVICE_NAME