Reputation: 313
I'm trying to create a custom IAM role in GCP with Terraform for my instances. AFIACT, the follow should work, but yet it errors out on me, complaining that the standard roles I want to include are not valid.
resource "google_project_iam_custom_role" "my-instance-role" {
role_id = "myInstanceRole"
title = "My Instance Role"
description = "my custom iam role"
permissions = [
"roles/storage.objectCreator",
"roles/cloudkms.cryptoKeyEncrypter"
]
}
Here is the error message:
* google_project_iam_custom_role.my-instance-role: Error creating
the custom project role My Instance Role: googleapi: Error 400:
Permission roles/storage.objectCreator is not valid., badRequest
The Terraform docs aren't super clear, but from what I've read, this should work. Any idea what I'm doing wrong here?
Upvotes: 7
Views: 12665
Reputation: 725
First of all you are giving roles in permission section which is wrong. You can use some modules which allows you to create a custom roles using set of pre-define roles and permissions. You can use or refer my code here - Terraform code to create custom roles
Note : All permissions do not work with custom role, So for example if you are trying to give roles/iam.securityAdmin
role then you will have to exclude some permission since they are not allowed in custom roles. You will have to make a list of exclude permission manually since there is no way around.
This is how you will have to list down all roles which needs to be excluded. Just pass this to module like this -
module "custom-viewer-role-project" {
#count = length(var.viewer_permissions)
source = "../../modules/custom_role_iam/"
target_level = "project"
target_id = var.project_id
role_id = var.viewer_role_id
base_roles = var.viewer_base_roles
permissions = var.viewer_permissions
excluded_permissions = var.viewer_excluded_permissions
description = var.viewer_description
members = ["serviceAccount:${var.viewer_members}@${var.project_id}.iam.gserviceaccount.com"]
}
Variables - viewer_base_roles = Here you list down all your roles needed
viewer_excluded_permissions = Here you will have to provide list of exclude permissions
Upvotes: 2
Reputation: 313
Ok. I figured it out. You can't include a predefined GCP role in a custom role. You have to specify the specific service permissions. What I really wanted to do was this:
resource "google_project_iam_custom_role" "my-instance-role" {
role_id = "myInstanceRole"
title = "My Instance Role"
description = "my custom iam role"
permissions = [
"storage.objects.create",
"cloudkms.cryptoKeyVersions.useToEncrypt"
]
}
The key here is the difference between predefined GCP roles such as "roles/storage.objectCreator" which is a collection of GCP permissions and using those individual permissions on their own. When creating a custom IAM role in Terraform, you must specify the individual service level permissions you want to apply, such as "storage.objects.create".
Upvotes: 12