We Keep Coding

service account permission issue while deploying cloud function

I have service account SA1 which is created in project1 with permission ( cloud function invoker, service account user ). i want to deploy a cloud function CF1 in project2 and specify SA1 in that cloud function as SERVICE_ACCOUNT parameter. while deploying CF1 in project2 i am getting below error even though "service account user" permission exist for this SA1 in project 1 and
SA1 is also added in project 2
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Ok], message=[Missing necessary permission iam.serviceAccounts.act As
for cloud-functions-mixer on the service account SA1.
Grant the role 'roles/iam.serviceAccountUser' to cloud-functions-mixer on the service account SA1.

It's absolutely not clear and it's a great question!
You need 2 things
Firstly, run the proposed command
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=cloud-functions-mixer --role=roles/iam.serviceAccountUser
BUT what is that cloud-functions-mixer?? In fact, it's only the account that runs the command
#for you
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=user:<your email> --role=roles/iam.serviceAccountUser
# for a service account (CI/CD pipeline for instance)
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=serviceAccount:<service account email> --role=roles/iam.serviceAccountUser
Then activate the cross-project project usage, deactivated by default. You can achieve that only if you have an organisation. If you haven't, you can't go to organisation policies
Go to Organization policies
Look for Disable Cross-Project Service Account Usage
Edit, click on customize and add rule to disable the rule

GCP: what are the permissions of viewer role has?

I'm looking into roles in GCP. I have a use case to read everything in GCP. So when I looked at the viewer role, docs say it is a read-only role but it seems it has a lot of restrictions. what are the exact permissions of a viewer role?

To list the permission that a role contains, use the CLI:
gcloud iam roles describe roles/editor
gcloud iam roles describe
Editor is a predefined role that currently has 4,078 permissions. Google Cloud manages the permissions for predefined roles. This means that the permissions assigned to these roles can change over time.

You can use the below gcloud commands for roles/viewer.
gcloud iam roles describe roles/viewer
You can add or revoke a single role using the gcloud command-line tool's add-iam-policy-binding and remove-iam-policy-binding commands.
Granting access:
To quickly grant a role to a member, run the following gcloud ‘add-iam-policy-binding’ command:
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
gcloud projects add-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/editor
Revoking access:
gcloud projects remove-iam-policy-binding my-project --member=user:my-user#example.com --role=roles/viewer
For more information, you can also refer to gcloud iam roles describe, roles Granting changing and revoking access to resources.

You should also bare in mind the concept of 'convenience values' that apply to Basic Roles.
In the case of the Viewer role, by default an identity granted this role would be granted more permissions than are listed when running the gcloud command;
gcloud iam roles describe roles/viewer
In addition to the listed permissions, they will be able to read all objects under the resource that the role is granted at through convenience values - see this link to the Google documentation. For example, roles/storage.legacyObjectReader or READER on the bucket ACL will be granted by default (this is dependant on if Uniform Bucket Level Access is configured).

How to resolve "googleapi: Error 403: The caller does not have permission, forbidden"

I am using terraform to build infra in GCP. I am trying to assign roles to a service account using terraform but unable to do so. Below is my code:
sa.tf:
resource "google_service_account" "mojo-terra" {
account_id = "mojo-terra"
description = "Service account used for terraform script"
}
resource "google_project_iam_member" "mojo-roles" {
count = length(var.rolesList)
role = var.rolesList[count.index]
member = "serviceAccount:${google_service_account.mojo-terra.email}"
}
dev.tfvars:
rolesList = [
"roles/iam.serviceAccountUser"
]
cloudbuild logs:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Policy: Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
Step #2:
Step #2:
Step #2: Error: Error when reading or editing Resource "project \"poc-dev\"" with IAM Member: Role "roles/iam.serviceAccountUser" Member "serviceAccount:asadsfs#poc-dev-1221.iam.gserviceaccount.com": Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
Below are the roles attached to my cloudbuild service account:
Custom Role cloudbuild, Cloud Build Service Account, Service Account Admin, Create Service Accounts, Delete Service Accounts, Service Account User, Storage Admin

The service account providing authorization to Terraform is missing the permission resourcemanager.projects.getIamPolicy which is the source of the error message.
The service account is also missing the permission resourcemanager.projects.setIamPolicy which is required to change IAM policies.
Those permissions are part of the role roles/resourcemanager.projectIamAdmin (Project IAM Admin).
To list the roles assigned to the service account:
gcloud projects get-iam-policy <YOUR GCLOUD PROJECT ID> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<YOUR SERVICE ACCOUNT>"
To list the permissions that a role contains:
gcloud iam roles describe roles/resourcemanager.projectIamAdmin
To add the required role to the service account:
gcloud projects add-iam-policy-binding <YOUR GCLOUD PROJECT ID> \
--member=serviceAccount:<YOUR SERVICE ACCOUNT> \
--role=roles/resourcemanager.projectIamAdmin

How can I give a service account access to a particular secret?

I want to grant a service account access to a secret in Google Secrets Manager.
I can access the secret like this:
gcloud beta secrets versions access 1 --secret="thesecret" --project="myproject"
But when my service account tries the same command, gcloud emits this error:
ERROR: (gcloud.beta.secrets.versions.access) PERMISSION_DENIED: Request had insufficient authentication scopes.
The main question is: What else do I need to do to ensure that the service account can access the secret?
I have granted that service account "roles/secretmanager.secretAccessor" in Terraform like this:
resource google_project_iam_binding the-binding {
project = myproject
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com",
]
}
And I can verify that it has that role both in the gcp console and like this:
gcloud projects get-iam-policy myproject \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:theserviceaccount#someotherproject.iam.gserviceaccount.com"
ROLE
roles/secretmanager.secretAccessor
But there's this concept from the docs:
If a member only needs to access a single secret's value, don't grant that member the ability to access all secrets. For example, you can grant a service account the Secret Accessor role (roles/secretmanager.secretAccessor) on a single secret.
So it's like an iam-policy-binding can have an affinity to a particular secret, but I'm not sure which gcloud commands or terraform resources I can use to create such an affinity.

The first problem is that I was mistaken about which service account my environment was configured to use. So I had granted access to the service account, but I wasn't using it after all (apparently they're initialized inconsistently in my case). I fixed that by running this command before trying to access the secret:
gcloud config set account theserviceaccount#someotherproject.iam.gserviceaccount.com
Also, I didn't realize that there were more than one toplevel gcloud command that let you modify iam policy bindings. I had been exploring gcloud iam ... when what I needed was:
gcloud beta secrets add-iam-policy-binding projects/myproject/secrets/mysecret --member serviceAccount:theserviceaccount#someotherproject.iam.gserviceaccount.com --role roles/secretmanager.secretAccessor

How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI?

I know that I can do it via the UI (Cloud Console), and that I can also assign a role. Although, how do I grant a single permission easily?
For example, I was pushing an image to Google Container Registry with a newly created service account, and I got an error saying that this service account doesn't have the storage.buckets.get permission. What is the easiest way to grant this specific permission using the CLI?

You can't directly grant a permission to a service account, that's simply not how Google Cloud IAM works. Only roles are assigned to service accounts, users or groups which in turn usually contain a set of permissions.
If you want a role to only contain a single permission, or only permissions you're interested in, you can look into creating a custom role, which allows you to specify which permission(s) you want to give to a role of your definition in order to restrict the access on a more granular level. And then, assign that custom role to the service account:
Using the gcloud CLI you can create a custom role with
gcloud iam roles create, i.e:
gcloud iam roles create bucketViewer \
--project example-project-id-1 \
--title "Bucket viewer" \
--description "This role has only the storage.buckets.get permission" \
--permissions storage.buckets.get
This will create a custom role with the ID bucketViewer, for the
project ID example-project-id-1, containing only the permission
storage.buckets.get. Replace these values as desired and
accordingly.
Once done, you can assign this custom role also with a single gcloud
command by using gcloud projects add-iam-policy-binding:
gcloud projects add-iam-policy-binding example-project-id-1 \
--member='serviceAccount:test-proj1#example.domain.com' \
--role='projects/example-project-id-1/roles/bucketViewer'
Replace example-project-id-1 with your project ID, and
test-proj1#example.domain.com with the actual name of the service
account you want to assign the role to.

You most likely don't want to assign single permission. It usually requires more permissions to achieve what you want.
Those permissions are organized into roles - you either pick existing one, or create own, like described in this answer https://stackoverflow.com/a/59757152.
But typically there are some existing predefined roles. You need to find them in Google Cloud documentation - e.g. for container registry https://cloud.google.com/container-registry/docs/access-control - your choice could be Storage Object Admin (roles/storage.objectAdmin).
Those roles are actually Cloud Storage roles which are described in https://cloud.google.com/storage/docs/access-control/iam-roles.