Reputation: 10019
Unable to create google project with Terraform
I'm following the Google GKE and SQL with terraform tutorial But I'm not able to create a google_project.project. I have tried both as the owner of the project and as the service described in the tutorial. Both attempts end with this error:
Error: Error applying plan:
1 error(s) occurred:
* google_project.project: 1 error(s) occurred:
* google_project.project: error creating project terraform-dev-357aa670
(terraform-dev): googleapi: Error 403: User is not authorized., forbidden.
If you received a 403 error, make sure
you have the `roles/resourcemanager.projectCreator` permission
I would think that I had the correct permissions as the project owner, but apparently not.
Here's how I created the service account:
$ gcloud organizations add-iam-policy-binding ${TF_VAR_org_id} \ (gke_my-domain-218910_europe-west1-b_my-domain-vpc-native/default)
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
> --role roles/resourcemanager.projectCreator
Updated IAM policy for organization [00000].
bindings:
- members:
- domain:my-domain.no
role: roles/billing.creator
- members:
- serviceAccount:[email protected]
- serviceAccount:[email protected]
role: roles/billing.user
- members:
- domain:min-familie.no
- serviceAccount:[email protected]
- serviceAccount:[email protected]
role: roles/resourcemanager.projectCreator
etag: BwWJxJTDnQs=
version: 19d
Creating a project "manually" works.
$ gcloud projects create ${TF_ADMIN}.
Any ideas what might be wrong?
Upvotes: 5
Views: 3043
Answers (2)
Reputation: 1367
In order to create folders and projects, your account need to have the respective permissions and, of course you need to make sure that you are using the right account.
First make sure the user has the right permissions:
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] --role=roles/billing.admin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] --role=roles/resourcemanager.organizationAdmin
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] --role=roles/resourcemanager.folderCreator
gcloud organizations add-iam-policy-binding YOUR_ORGANIZATION_ID --member=user:[email protected] --role=roles/resourcemanager.projectCreator
Then make sure you set the application defaults and login to exactly this account:
gcloud auth application-default login
The set a project that the API calls will be billed to by default. Read more about this here. If you don't set this, you might get a quota error when you run terraform apply.
gcloud auth application-default set-quota-project SOME_BILLING_PROJECT
Upvotes: 1
Reputation: 2544
I had exact same problem!
Steps that solved this problem for me:
Downloaded the key for that Service Account (Using GCP Console) to : /Users/johndoe/sa.json
export GOOGLE_APPLICATION_CREDENTIALS=/Users/johndoe/factory.json
terraform apply
Hope this works for you.
Found the solution from Seth Fargo here: https://github.com/sethvargo/vault-on-gke/issues/16
Upvotes: 0
Related Questions
- Terraform is using wrong google project
- Error when creating the firebase project using terraform
- "requested physical block size 2048 is not supported by this disk" - unable to create google compute disk using terraform
- Plan Error: Cloud Resource Manager API has not been used
- Terraform/GCP Error: project: required field is not set
- Cannot create Cloud Composer
- Error: Invalid value for region: project: required field is not set
- Error when creating gcp vm instance via terraform
- Terraform GCP vm instance create - Error 403
- gcloud cli cannot create project - The project ID you specified is already in use by another project