I'm following the Google GKE and SQL with terraform tutorial
But I'm not able to create a google_project.project.
I have tried both as the owner of the project and as the service described in the tutorial. Both attempts end with this error:
Error: Error applying plan:
1 error(s) occurred:
* google_project.project: 1 error(s) occurred:
* google_project.project: error creating project terraform-dev-357aa670
(terraform-dev): googleapi: Error 403: User is not authorized., forbidden.
If you received a 403 error, make sure
you have the `roles/resourcemanager.projectCreator` permission
I would think that I had the correct permissions as the project owner, but apparently not.
Here's how I created the service account:
$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform#${TF_ADMIN}.iam.gserviceaccount.com \
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
- domain:my-domain.no
role: roles/billing.creator
- members:
- serviceAccount:terraform#my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform#my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/billing.user
- members:
- domain:min-familie.no
- serviceAccount:terraform#my-domain-terraform-admin-3.iam.gserviceaccount.com
- serviceAccount:terraform#my-domain-terraform-admin.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d
Creating a project "manually" works.
$ gcloud projects create ${TF_ADMIN}.
Any ideas what might be wrong?
In order to create folders and projects, your account need to have the respective permissions and, of course you need to make sure that you are using the right account.
First make sure the user has the right permissions:
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/billing.admin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.folderCreator
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:your#email.com --role=roles/resourcemanager.projectCreator
Then make sure you set the application defaults and login to exactly this account:
gcloud auth application-default login
The set a project that the API calls will be billed to by default. Read more about this here. If you don't set this, you might get a quota error when you run terraform apply.
gcloud auth application-default set-quota-project SOME_BILLING_PROJECT
I had exact same problem!
Steps that solved this problem for me:
Downloaded the key for that Service Account (Using GCP Console) to : /Users/johndoe/sa.json
export GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json
terraform apply
Hope this works for you.
Found the solution from Seth Fargo here:
https://github.com/sethvargo/vault-on-gke/issues/16
Related
I have the following service account
my-sa#my-project.iam.gserviceaccount.com
Which seems to have the following custom role
▶ gcloud projects get-iam-policy my-project \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:my-sa#my-project.iam.gserviceaccount.com.iam.gserviceaccount.com"
ROLE
organizations/123456789/roles/my_custom_role
This custom role has the following permissions
▶ gcloud iam roles describe my_custom_role --organization 123456789
description: My custom role
etag: kdkdkdkd=
includedPermissions:
- container.clusters.get
- container.clusters.list
- container.clusters.update
- container.nodes.delete
- container.nodes.list
- container.operations.get
- resourcemanager.projects.get
- resourcemanager.projects.list
name: organizations/123456789/roles/my_custom_role
stage: GA
title: my_custom_role-
However, when assuming this role (I create, download and login using a json private key)
and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that
the SA has an org level role
it has the resourcemanager.projects.get and resourcemanager.projects.list permissions
Why is that?
To see other projects, you need a higher level permission on your org.
and listing projects, I cannot see all the organisation's projects but rather only the project the SA belongs to, although I should, given that
This is expected, because the project can only control who sees this project.
You may need organization permissions too:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/list
organizations.list
I encounter the following warning:
WARNING: You do not appear to have access to project [$PROJECT] or it does not exist.
after running the following commands locally:
Activate and set a service account:
gcloud auth activate-service-account \
$SERVICE_ACCOUNT \
--key-file=key.json
#=>
Activated service account credentials for: [$SERVICE_ACCOUNT]
Select $PROJECT as the above service account:
gcloud config set project $PROJECT
#=>
Updated property [core/project].
WARNING: You do not appear to have access to project [$PROJECT] or it does not exist.
My own GCP account is associated with the following roles:
App Engine Admin
Cloud Build Editor
Cloud Scheduler Admin
Storage Object Creator
Storage Object Viewer
Why is this service account unable to set $PROJECT? Is there a role or permission I am missing?
The solution to this issue might be to enable the Cloud Resource Manager API in your Google Cloud Console here by clicking enable.
I believe this is an erroneous warning message. I see the same warning message on my service account despite the fact that the account has permissions on my GCP project and can successfully perform necessary actions.
You might be seeing this error due to an unrelated problem. In my case, I was trying to deploy to AppEngine from a continuous integration environment (Circle CI), but I hadn't enabled the App Engine Admin API. Once I enabled the API, I was able to deploy successfully.
I encountered this error when I started out with Google CLoud Platform.
The issue was that I configured/set a non-existing project (my-kube-project)
as my default project using the command below:
gcloud config set project my-kube-project
Here's how I solved it:
I had to list my existing projects first:
gcloud projects list
And then I copied the ID of the project that I wanted, and rannthe command again this time:
gcloud config set project gold-magpie-258213
And it worked fine.
Note: You cannot change the ID of a project's ID or Number,you can only change the Name.
That's all.
I hope this helps
I was encountering the same error when trying to deploy an app to Google App Engine via a service account configured in CircleCI and resolved it by having the following roles (permissions) attached to my service role:
App Engine Deployer
App Engine Service Admin
Cloud Build Editor
Storage Object Creator
Storage Object Viewer
I also had the App Engine Admin API enabled, but not the Cloud Resource Manager API.
The
WARNING: You do not appear to have access to project [$PROJECT_ID] or it does not exist.
warning will appear if there isn't at least one role granted to the service account that contains the resourcemanager.projects.get permission.
In other words, the warning will appear if the result of the following commands is blank:
Gather all roles for a given $SERVICE_ACCOUNT (this works for any account, not just service accounts):
gcloud projects get-iam-policy $PROJECT_ID \
--flatten='bindings[].members' \
--format='table(bindings.role)' \
--filter="bindings.members:${SERVICE_ACCOUNT}"
#=>
ROLE
. . .
For each $ROLE gathered above, either:
gcloud iam roles describe $ROLE \
--flatten='includedPermissions' \
--format='value(includedPermissions)' \
--project=$PROJECT_ID | grep \
--regexp '^resourcemanager.projects.get$'
if the $ROLE is a custom (projects/$PROJECT_ID/roles/$ROLE), or:
gcloud iam roles describe roles/$ROLE \
--flatten='includedPermissions' \
--format='value(includedPermissions)' | grep \
--regexp '^resourcemanager.projects.get$'
if the $ROLE is a curated (roles/$ROLE).
Note: the difference between gcloud command formatting for custom and curated roles is what makes listing all permissions associated with all roles associated with a single account difficult.
If you have confirmed that none of the roles associated with a service account contain the resourcemanager.projects.get permission, then either:
Update at least one of the custom roles associated with the service account with the resourcemanager.projects.get permission:
gcloud iam roles update $ROLE \
--add-permissions=resourcemanager.projects.get \
--project=$PROJECT_ID
#=>
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
. . .
- resourcemanager.projects.get
. . .
name: projects/$PROJECT_ID/roles/$ROLE
stage: . . .
title: $ROLE_TITLE
Warning: make sure to use the --add-permissions flag here when updating, as the --permissions flag will remove any other permissions the custom role used to have.
Create a custom role:
gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=resourcemanager.projects.get \
--project=$PROJECT_ID \
--title='$ROLE_TITLE'
#=>
Created role [$ROLE].
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
- resourcemanager.projects.get
name: projects/$PROJECT_ID/roles/$ROLE
stage: . . .
title: $ROLE_TITLE
and associate it with the service account:
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$SERVICE_ACCOUNT \
--role=projects/$PROJECT_ID/roles/$ROLE
#=>
Updated IAM policy for project [$PROJECT_ID].
auditConfigs:
. . .
Associate the service account with a curated role that already contains the resourcemanager.projects.get permission, which has been discussed above.
If you want to know which curated roles already contain the resourcemanager.projects.get permission and don't want to craft a complex shell loop, it might be easier to go here and filter all roles by Permission:resourcemanager.projects.get.
Note: if you are running into issues, be sure to read the requirements for granting access to resources here.
I have created a ServiceAccount and a custom role from the GCP console.
However when trying to associate them, it fails as below:
gcloud projects add-iam-policy-binding my-project \
--member serviceAccount:cloudrun-poc#my-project.iam.gserviceaccount.com \
--role roles/MyCustomRole
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/ClusterUpscaler is not supported for this resource.
any ideas why?
You might have to create role MyCustomRole before attempting to assign it. No clue what it complains about role ClusterUpscaler, but there might not be a cluster present in that project... besides custom roles usually have names alike projects/{project-id}/roles/{role-name}. They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
You could run gcloud alpha iam policies lint-condition as the output suggests. For me, it was a missing gcloud command "Alpha".
I am trying to deploy code from this repo:
https://github.com/anishkny/puppeteer-on-cloud-functions
in Google Cloud Build. My cloudbuild.yaml file contents are:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
I have given the following roles to my Cloud Build Service account (****#cloudbuild.gserviceaccount.com):
Cloud Build Service Account
Cloud Functions Developer
Yet, in my Cloud Build log I see the following error:
starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"
FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][ 0.0 B/ 835.0 B]
/ [1 files][ 835.0 B/ 835.0 B]
Operation completed over 1 objects/835.0 B.
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1
What am I missing?
It would appear that the permissions changed when (perhaps) Cloud Functions went GA. Another customer raised this issue today and I recalled your question.
The Cloud Build robot (${NUM}#cloudbuild.gserviceaccount.com) additionally needs to be a serviceAccountUser of the ${PROJECT-ID}#appspot.gserviceaccount.com account:
NB While the Cloud Build robot local part is the project number (${NUM}), the appspot robot local part is the project ID (${PROJECT})
Please try:
PROJECT=[[YOUR-PROJECT-ID]]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
Let me know!
I struggled with this too after reading quite a bit of documentation. A combination of the above answers got me on the right track. Basically, something like the following is needed:
PROJECT=[PROJECT-NAME]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
--member='serviceAccount:service-${NUM}#gcf-admin-robot.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
Also, I added the "Cloud Functions Developer" role to my #cloudbuild.gserviceaccount.com account via the IAM Console.
According to Cloud Build documentation, for Cloud Functions you have to grant the "Project Editor" role to your service account.
But, Cloud Functions documentation states that alternatively to using the Project Editor role, you can use "the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role". Regarding Service Accounts, it indicates to have "the CloudFunctions.ServiceAgent role on your project" and to "have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function".
Due to those considerations, my understanding is that the documentation omitted to specify all the roles your service account would need and went directly to indicate to grant the Project Editor role.
You have to update Service Account permissions on Cloud Build settings page.
Here is instructions https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#fully-managed
You just have to set the status of the Cloud Run Admin role to ENABLED on that page:
start your cloud build with auth
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['auth', 'activate-service-account', 'xoxox#xoxo-dev.iam.gserviceaccount.com', '--key-file=account.json', '--project=rabbito-dev']
and then simply your code deployment on cloud function
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
Please add 'Cloud Functions Service Agent' role to your service account alongside 'Cloud Functions Developer'.
I wasn't able to add a new member in GCP (IAM) with the role owner using the gcloud command
The below command fails:
gcloud projects add-iam-policy-binding linuxacademy-3 --member user:rohithmn3#gmail.com --role roles/owner
With the below Error/Exception:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
- '#type': type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError
member: user:rohithmn3#gmail.com
role: roles/owner
type: SOLO_MUST_INVITE_OWNERS
But, the same command works well for other roles like: viewer, browser...! It just doesn't work for "owner".
Is there any alternative for this; if yes, How to add this in my Python Code.
Please help me here..!
Regards,
Rohith
You cannot grant the owner role to a member for a project using the Cloud IAM API or the gcloud command-line tool. You can only add owners to a project using the Cloud Console. An invitation will be sent to the member via email and the member must accept the invitation to be made an owner of the project, Documentation