ducksauz
ducksauz

Reputation: 313

GCP Custom IAM role creation with Terraform

I'm trying to create a custom IAM role in GCP with Terraform for my instances. AFIACT, the follow should work, but yet it errors out on me, complaining that the standard roles I want to include are not valid.

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "roles/storage.objectCreator", 
    "roles/cloudkms.cryptoKeyEncrypter"
  ]
}

Here is the error message:

* google_project_iam_custom_role.my-instance-role: Error creating 
the custom project role My Instance Role: googleapi: Error 400: 
Permission roles/storage.objectCreator is not valid., badRequest

The Terraform docs aren't super clear, but from what I've read, this should work. Any idea what I'm doing wrong here?

Upvotes: 7

Views: 12665

Answers (2)

Indrajeet Patil
Indrajeet Patil

Reputation: 725

First of all you are giving roles in permission section which is wrong. You can use some modules which allows you to create a custom roles using set of pre-define roles and permissions. You can use or refer my code here - Terraform code to create custom roles

Note : All permissions do not work with custom role, So for example if you are trying to give roles/iam.securityAdmin role then you will have to exclude some permission since they are not allowed in custom roles. You will have to make a list of exclude permission manually since there is no way around. enter image description here

This is how you will have to list down all roles which needs to be excluded. Just pass this to module like this -

module "custom-viewer-role-project" {
  #count = length(var.viewer_permissions)
  source = "../../modules/custom_role_iam/"
  target_level         = "project"
  target_id            = var.project_id
  role_id              = var.viewer_role_id
  base_roles           = var.viewer_base_roles
  permissions          = var.viewer_permissions
  excluded_permissions = var.viewer_excluded_permissions
  description          = var.viewer_description
  members              = ["serviceAccount:${var.viewer_members}@${var.project_id}.iam.gserviceaccount.com"]
}

Variables - viewer_base_roles = Here you list down all your roles needed

viewer_excluded_permissions = Here you will have to provide list of exclude permissions

Upvotes: 2

ducksauz
ducksauz

Reputation: 313

Ok. I figured it out. You can't include a predefined GCP role in a custom role. You have to specify the specific service permissions. What I really wanted to do was this:

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "storage.objects.create", 
    "cloudkms.cryptoKeyVersions.useToEncrypt"
  ]
}

The key here is the difference between predefined GCP roles such as "roles/storage.objectCreator" which is a collection of GCP permissions and using those individual permissions on their own. When creating a custom IAM role in Terraform, you must specify the individual service level permissions you want to apply, such as "storage.objects.create".

Upvotes: 12

Related Questions