service account has all permission to create an vm instance (Service Account User, Project Owner, Project Editor). When I run terraform, this occurs:
│ Error: Error waiting for instance to create: The user does not have access to service account 'mymail#gmail.com'. User: 'terraform#direct-keel-275713.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
│
│
│ with module.vm.google_compute_instance.icinga,
│ on modules/vm/main.tf line 23, in resource "google_compute_instance" "icinga":
│ 23: resource "google_compute_instance" "icinga" {
There is something wrong with how you have Terraform setup.
The error message includes the text The user does not have access to service account 'mymail#gmail.com'.
The identity mymail#gmail.com is not a service account.
Once you have the credentials set up correctly, the identity that Terraform is using for authorization must have the role roles/iam.serviceAccountUser or similar. The role you select must have the permission iam.serviceAccounts.actAs.
Service Accounts Roles
Note: roles such as roles/compute.admin do not have the permission iam.serviceAccounts.actAs.
Terraform by default will look for the environment variable GOOGLE_APPLICATION_CREDENTIALS. That variable should point to the full path of a service account JSON key file.
Next, Terraform will look for the CLI/SDK credentials created by gcloud auth application-default login.
I prefer to specify the service account in the Terraform HCL (usually in a variables file).
provider "google" {
project = "PROJECT_ID"
credentials = "/path/to/service-account.json"
}
Related
I am trying to create a new service account with terraform code. This code works well when I run it on behalf of my user credentials (the project Owner). But I see an error when I run the code on behalf of terraform service account
module "service_accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 4.1"
project_id = var.project
prefix = var.env
names = ["dataproc-sa"]
project_roles = [
"${var.project}=>roles/cloudkms.cryptoKeyEncrypterDecrypter",
"${var.project}=>roles/storage.objectViewer",
"${var.project}=>roles/dataproc.worker",
]
}
The terraform-google-modules/service-accounts/google module documentation says
Service account or user credentials with the following roles must be used to provision the resources of this module:
* Service Account Admin: roles/iam.serviceAccountAdmin
* (optional) Service Account Key Admin: roles/iam.serviceAccountKeyAdmin when generate_keys is set to true
* (optional) roles needed to grant optional IAM roles at the project or organizational level
I've bound roles/iam.serviceAccountAdmin to the gitlab-terraform#xxxxxx.iam.gserviceaccount.com service account, despite this I see the next error
Error: Error creating service account: googleapi: Error 403:
Identity and Access Management (IAM) API has not been used in project xxxxxxxxx
before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=xxxxxxxxx
then retry. If you enabled this API recently, wait a few minutes for
the action to propagate to our systems and retry.
It looks like the terraform service account doesn't have the appropriate permissions to create a new service account
What should I do to allow the service account create another one? What kind of permissions are missed? The code works well if I run it with the project Owner role (but I don't want to do this)
EDIT: Forgot to mention that I tried to bind roles/iam.admin to the terraform service account but it gave me the next error
ERROR: Policy modification failed. For a binding with condition,
run "gcloud alpha iam policies lint-condition" to identify
issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding)
INVALID_ARGUMENT: Role roles/iam.admin is not supported for this resource.
The problem is the IAM service is not enabled. To enable that service you need the IAM role Service Usage Admin aka roles/serviceusage.serviceUsageAdmin. The Owner and Editor roles also have the permission serviceusage.services.enable.
You can enable the service using the CLI:
gcloud services enable iam.googleapis.com
Or add this to your Terraform HCL to enable the IAM service.
resource "google_project_service" "iam_service" {
project = var.project
service = "iam.googleapis.com"
}
You should also add a depends_on to resources that depend on the service being enabled:
depends_on = [
google_project_service.iam_service
]
I am trying to set-up a terraform remote backend using GCP Cloud Storage. I first created a service account from the CLI:
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --display-name $SERVICE_ACCOUNT_NAME
And then added roles to it. From what I read in the Cloud Storage (GCS) docs, the roles/storage.objectAdmin role should give full rights over GCS objects:
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME#$PROJECT_ID.iam.gserviceaccount.com --role roles/storage.objectAdmin
I have the following main.tf file:
terraform {
required_version = "1.2.2"
required_providers {
google = {
source = "hashicorp/google"
version = "4.13.0"
}
}
backend "gcs" {
}
}
provider "google" {
project = "project-sandbox"
region = "europe-west1"
impersonate_service_account = "my-test-svc#project-sandbox.iam.gserviceaccount.com"
}
And here is my remote.backend file:
bucket = "my_example_sandbox_bucket_985gd5d"
prefix = "terraform/state"
impersonate_service_account = "my-test-svc#project-sandbox.iam.gserviceaccount.com"
However, when I run terraform init -backend-config=remote.backend, I get the following error:
Initializing the backend...
╷
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/my_example_sandbox_bucket_985gd5d/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": impersonate: status code 403: {
│ "error": {
│ "code": 403,
│ "message": "The caller does not have permission",
│ "status": "PERMISSION_DENIED"
│ }
│ }
I tried to give my service account more roles such as roles/iam.serviceAccountTokenCreator as the Terraform docs on using GCS as backend state this is required. However, the error persists. Is there a problem in my terraform somewhere? Or is there a role that I am missing? I could try giving it the owner role but that seems a bit extreme given it should only be needed for writing files to the bucket.
Please check the following:
The Organization Policy API needs to be enabled.
The Service Account needs to have an Organization Policy Administrator role at the organization level.
The Service Account User and Service Account Token Creator roles should be assigned to the principal account to impersonate a service account.
Your ADC (Application Default Credentials) needs to be configured for the same user as your terraform apply user/organization. If not, you could run gcloud auth application-default login again and recreate the ADC with the right user.
I have a brand new GCP account that I'm the only owner of, this is a personal/clean brand new project.
I manage the infrastructure exclusively with terraform and trying to create a HTTPS load balancer to route requests to a fixed ip, which I then want to forward to a bucket where I have a webapp, I've setup this type of infrastructure in the past via the UI but not via terraform.
When attempting to create this piece of infrastructure:
resource "google_compute_global_address" "main" {
name = "main"
}
resource "google_compute_forwarding_rule" "lb" {
name = "lb"
provider = google-beta
region = "europe-west2"
project = "owlee-software"
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL_MANAGED"
port_range = "443"
target = google_compute_global_address.main.address
network_tier = "PREMIUM"
}
this throws
│ Response: {
│ "error": "invalid_grant",
│ "error_description": "Account has been deleted"
│ }
for brand new service accounts -- I have deleted the account and created another one -- with another file, if I remove this resource everything gets instantiated fine via the service account in the GCP account. This is the only 'google beta' provider that I have in the project as well.
I'm not sure if this is because of the resource configuration being wrong or something is happening with the service account.
When I try to inspect the service account I just created and made editor on the project, I can't, it shows greyed out with the following text:
Could not find an ancestor of the selected project where you have access to view a policy report. On at least one ancestor, you need the following permissions:
cloudasset.assets.analyzeIamPolicy,
cloudasset.assets.searchAllIamPolicies,
and cloudasset.assets.searchAllResources
My single-main account has the following roles attached to it:
Cloud Asset Owner
Organization Administrator
Owner
Project IAM Admin
Security Admin
I've added all of them after the Owner didn't seem to be enough.
Any suggestions appreciated, thank you.
It's an authentication issue. For me what solved was running.
gcloud auth application-default login
Followed by the terraform apply
But you can check here the documentation on how to authenticate with terraform
I'm new to GCP and I'm trying to enable a number of API's via Terraform.
variable "gcp_service_list" {
description ="Projectof apis"
type = list(string)
default = [
"cloudresourcemanager.googleapis.com",
"serviceusage.googleapis.com"
]
}
resource "google_project_service" "gcp" {
for_each = toset(var.gcp_service_list)
project = "project-id"
service = each.key
}
but I keep running into the error
Error when reading or editing Project Service Foo/compute.googleapis.com: googleapi: Error 403: The caller does not have permission, forbidden
What permissions do I need to grant my service account in order for it to be able to do this please?
In order to enable service APIs in GCP, your user or service account which is being used to run Terraform needs to have the following role:
roles/serviceusage.serviceUsageAdmin
So, you will either have to grant the user or SA the role above from the console or if you have a Terraform resource to bind roles to users/SA that can be used as well.
From Terraform authentication perspective, if you are using a user account make sure you are properly authenticating from the terminal to GCP using the following command:
gcloud auth application-default login
If you are using a service account, you will need to specify the environment variable GOOGLE_APPLICATION_CREDENTIALS passing the json key file.
For Terraform authentication reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference
I'm trying to create GCP infrastructure, to be more precise, load balancer using module "gce-lb-http" for Terraform. Below is the error:
╷
│ Error: Error creating HealthCheck: googleapi: Error 403: Required
'compute.healthChecks.create' permission for 'projects/gcptf-
320808/global/healthChecks/tf-createdlb-hc-default', forbidden
│
│ with module.gce-lb-http.google_compute_health_check.default["default"],
│ on .terraform/modules/gce-lb-http/main.tf line 203, in resource
"google_compute_health_check" "default":
│ 203: resource "google_compute_health_check" "default" {
So I have no idea why health check creating is forbidden? How can I allow the creation of this?
Your user (or Service Account) which is triggerred by Terraform needs this permission in order to be able to create HealthChecks 'compute.healthChecks.create'. You
If service account has correct permissions, check project id defined in a config file, it's common mistake using project name instead of project ID, or just misspelling the ID itself.
Have a look at the documentation descibing how to add roles to a service account and how to make custom roles in case you need some specific permissions.
You may also find this question & answer useful.