Reputation: 133
Google cloud deployment manager couldn't create deployment using "logging.v2.sink" by Permission Denied
I deployed logging.v2.sink using Google Cloud Deployment Manager, however the deployment was failed by permission denied.
The problem was also happened in this logsink example of Google Cloud Deployment Manager.
The result is following:
- code: RESOURCE_ERROR
location: /deployments/my-project-id/resources/sink
message:
{
"ResourceType": "logging.v2.sink",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"message": "The\n caller does not have permission",
"status": "PERMISSION_DENIED",
"statusMessage": "Forbidden",
"requestPath": "https://logging.googleapis.com/v2/projects/my-project-id/sinks",
"httpMethod": "POST"
}
}
The deployment was executed by owner role, moreover I can create logging sink using cli.
gcloud installed in local is newest (v217.0.0).
Why does this problem happen?
Upvotes: 3
Views: 885
Answers (2)
Reputation: 409
Ran into the same problem. Elaborating the answer above:
Deployment manager uses [PROJECT_NUMBER]@cloudservices.gserviceaccount.com to create resources on your behalf. You can check the policy binding for this service account:
gcloud projects get-iam-policy [PROJECT_NUMBER]
This service account has roles/editor on the project by default, which has the following policies for logging sinks:
- logging.sinks.get
- logging.sinks.list
You can confirm this using this command:
gcloud iam roles describe roles/editor
roles/logging.configWriter has logging.sinks.{list, create, get, update, delete} permissions, so you can add a new policy binding to your project and then retry:
gcloud projects add-iam-policy-binding secstate-gcp-test02 \
--member serviceAccount:[PROJECT_ID]@cloudservices.gserviceaccount.com \
--role roles/logging.configWriter
Upvotes: 2
Reputation: 133
I misunderstood permissions of cloud deployment manager. I noticed that the accounts of deploying template and creating resources are different(https://cloud.google.com/deployment-manager/docs/access-control).
When I add the Logging Admin role to the service account, deployment succeeds.
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com
Upvotes: 8
Related Questions
- Permission error when trying to deploy to Google Cloud Run
- Why am I seeing this error: 'ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission' while deploying container?
- permission error for GCP logging router sink update
- How to fix Google cloud deployment error: xxxxx.cloudbuild-logs.googleusercontent.com"; builder service account does not have access to the bucket
- GCP: Unable to create Project Sink through gcloud/API
- Managed Service Account does not have enough permissions while adding ObjectAcessControl
- google deployment manager logging v2 sinks type validation error
- setIAM 403 Forbidden
- Cloud Container Builder - gcloud app deploy fails with missing permission
- "No Log sinks are configured" when trying to export logs