Error deploying IAM role in Google Deployment Manager

Question

I am trying to assign a custom IAM role to a user (google account) in a GCP Project via Deployment Manager but received a 403 Error code. I have followed the sample provided in the Google Cloud Platform repo: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/iam_member

Basically I created a configuration YAML file with the following content:

  - path: ../iam_member.py
    name: iam_member.py

resources:
  - name: iam-member-oval-unity-test-0
    type: iam_member.py
    properties:
      projectId: oval-unity-88908
      type: string
      roles:
        - role: roles/GARawDataViewer
          members:
            - user:<USER_EMAIL>

GARawDataViewer is a custom role created in the project oval-unity-88908 and is the value of the user email address to whom I am trying to assign the custom IAM role.

Finally, I deployed running the following command:

gcloud deployment-manager deployments create deployment-oval-unity-member-test --config examples/oval_unity_member.yaml

After running the gcloud deployment-manager I received the following error message:

- code: CONDITION_NOT_MET
  location: /deployments/deployment-oval-unity-member-test/resources/get-iam-policy-iam-member-oval-unity-test-0-0-0->$.properties->$.policy
  message: |-
    InputMapping for field [policy] for method [setIamPolicy] could not be set from input, mapping was: [$.gcpIamMemberBinding($.intent, $.inputs.policy.response, $.resource.properties)], and evaluation context was:
    {
      "deployment" : {
        "id" : 4858392305054927640,
        "name" : "deployment-oval-unity-member-test"
      },
      "extensions" : {
        "EnableAdditionalJsonPathFunctions" : true,
        "EnableGoogleTypeProviderFunctionsExperiment" : true
      },
      "inputs" : {
        "policy" : {
          "error" : {
            "code" : "403",
            "message" : "{\"code\":403,\"message\":\"The caller does not have permission\",\"status\":\"PERMISSION_DENIED\",\"statusMessage\":\"Forbidden\",\"requestPath\":\"https://cloudresourcemanager.googleapis.com/v1/projects/oval-unity-88908:getIamPolicy\",\"httpMethod\":\"POST\"}"
          }
        }
      },
      "intent" : "CREATE",
      "matches" : [ ],
      "project" : "dm-creation-project-0",
      "requestId" : "f3c7f0c4-1ff7-3e26-a060-b0adc068866d",
      "resource" : {
        "name" : "get-iam-policy-iam-member-oval-unity-test-0-0-0",
        "previous" : { },
        "properties" : {
          "member" : "<USER_EMAIL_ADDRESS!>",
          "resource" : "oval-unity-88908",
          "role" : "roles/GARawDataViewer"
        },
        "self" : { }
      }
    }
    Error was:
    Parameter for gcpIamMemberBinding at position 1 is not of type map, value was [null]

The interesting thing is that I have been able to deploy successfully assigning a predefined role like 'editor': roles/editor, but it is failing using a custom role.

I have even tried using the full path to the custom role: projects/oval-unity-88908/roles/GARawDataViewer but still showing the same error.

Do you have any idea how could I solve this issue? Thanks in advance!

Answer 1

The issue might be, that you did not gave the service account which is used by the deployment manager the proper rights to handle IAM things. As described here you can possibly fix this issue by completing the following steps:

1. Go to the IAM page in the GCP Console of your project.
2. If prompted, select your project from the list.
3. Look for the Google APIs service account, which has the email address in the following format: [PROJECT_NUMBER]@cloudservices.gserviceaccount.com.
4. Grant the APIs service account the roles/owner roles

Let me know if you need further help!