The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource

Question

The above error message is being thrown when I try to add a task to a queue. Here is my setup and the info about this problem:

• Project ID: my-project
• Service Account ID: my-service-account
• Task Queue Name: my-queue
• Task Queue Location: asia-northeast1 (one of the few locations where Cloud Task is currently in beta)

Also, let's confirm that all the above exist and are running.

When I check my service account roles by POSTING to https://cloudresourcemanager.googleapis.com/v1/projects/my-project:getIamPolicy

I receive a response similar to:

{
    "status": 200,
    "data":
    {
        "version": 1,
        "etag": "BwV6nNWJg4E=",
        "bindings": [
        {
            "role": "roles/cloudtasks.admin",
            "members": [
                "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
            ]
        },
        {
            "role": "roles/cloudtasks.enqueuer",
            "members": [
                "serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"
            ]
        }]
    }
}

As you can see, my-service-account has the following 2 roles:

1. roles/cloudtasks.admin
2. roles/cloudtasks.enqueuer

Both of those roles have the cloudtasks.tasks.create permission baked in.

When I try to add a task to the Cloud Task using the following:

POST https://cloudtasks.googleapis.com/v2beta3/projects/my-project/locations/asia-northeast1/queues/my-queue/tasks + task payload

I receive the following error message:

{
    "status": 403,
    "data":
    {
        "error":
        {
            "code": 403,
            "message": "The principal (user or service account) lacks IAM permission \"cloudtasks.tasks.create\" for the resource \"projects/my-project/locations/asia-northeast1/queues/my-queue\" (or the resource may not exist).",
            "status": "PERMISSION_DENIED"
        }
    }
}

This really puzzles me.

Is there anybody who knows what I might be doing wrong?

Answer 1

What worked for me was providing the project ID in the cloud tasks resource block:

resource "google_cloud_tasks_queue" "configuration" {
  name     = var.cloud_tasks_queue_id
  location = var.region
  project  = var.project_id
}

I had the exact same problem giving me an authorization error, however, this worked for me.

Note: What's confusing is that the Terraform documentation describes the project_id attribute as optional...

Answer 2

For me, I had listed the wrong queue.name (i.e. not the fully-qualified name) in the request, which cause this weird API error.

I discovered this error after looking at the source code for the Node Cloud Tasks client:

https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-tasks/samples/quickstart.js

Answer 3

You can grant access to your service account with the following command:

gcloud projects add-iam-policy-binding {project} \
    --member=serviceAccount:{service-account-email} \
    --role=roles/cloudtasks.enqueuer

Notice that Google Cloud will take some minutes to apply this change (even if the cli returns, you will need to wait)

Answer 4

First check which service account is used for calling the API. It looks that whatever makes API calls uses default service account that may not have proper permissions.

Sometimes if you omit wchich service account has to be user in API call then default account will be used and you may get authenticated with credentials that don't won't let you create tasks.

I recommend using API keys to authenticate to rule out any confusion with which service account is being authenticated.

Very similar case was discussed (and solved) here.

Answer 5

I have no clues why that worked, but I blew out all the roles and then added them again and then it worked. Seems to be a bug on Google Cloud Platform.