Reputation: 93
missing permission on "billingAccounts/XXXXXXXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create Terraform (GCP)
I tried to automate the Shared VPC creation on GCP by using Terraform. I have enabled all the access to my service account (Org Admin, XpnAdmin, Storage Admin, Compute admin, Billing Admin)
But when i executed terraform apply it's throwing me following error:
missing permission on "billingAccounts/CXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create
I'm referring the Google provider Github code for this demo.
Upvotes: 8
Views: 13055
Answers (6)
Reputation: 174
I faced the same problem and consumed about 3 hours.
As a result, I found that we needed to set up the role on the Billing account side.
As shown in the picture below, you need to grant the Billing role to the *** service account*** where Cloud Billing will run.
Upvotes: 1
Reputation: 1861
I faced the same issue. You can now assign the role to an identity with this gcloud CLI command (as of the time of writing is still on alpha):
gcloud alpha billing accounts add-iam-policy-binding 123456-ABCDEF-123ABD \
--member "serviceAccount:youserviceaccount@projectID-of-the-serviceaccount.iam.gserviceaccount.com" \
--role="roles/billing.user"
https://cloud.google.com/sdk/gcloud/reference/alpha/billing/accounts/add-iam-policy-binding
Upvotes: 0
Reputation: 1247
I was getting this error when I had an old (deleted) billing account Id in my Terraform config.
<facePalm>Doh!</facePalm>
Upvotes: -1
Reputation: 9
This error generally comes when you are logged into to machine/laptop and set default credentials to run terraform. Thereafter you got a new account or have been asked to use new account and you are authenticating using gcloud auth login / or gcloud auth application-default login. This will still use the previous account billing account. It is recommended to use Google CloudShell to run terraform script first time.
Upvotes: -1
Reputation: 161
I was getting same error even my "Service Account" had the necessary "Organization" level permissions. Then I figured out, I need to give permission from "Billing Account". It worked.
I was following this tutorial to create projects via "Service Account" and "Terraform", but still was getting error. After some research, I followed this how-to and gave permission from "Billing Account".
Project, Organization and Billing are 3 separate components for permissions. Giving "Organization" level is not enough. The permission should be given from "Billing Account" as well.
Upvotes: 6
Reputation: 116
It's quite likely you have the billing admin, but you also need the ability to create billing assignments, or "Billing Project Manager".
https://cloud.google.com/billing/v1/how-tos/access-control
billing.resourceAssociations.create AND resourcemanager.projects.createBillingAssignment on the Cloud Billing account.
There's some handy code to bootstrap a service account - Google Project Factory - You might want to have a look at that. Once that SA is created you shouldn't have permissions issues
Upvotes: 4
Related Questions
- Terraform: googleapi: Error 403: Permission denied on resource project
- Error setting up Cloud Storage terraform backend: "Error impersonate: status code 403: The caller does not have permission"
- Getting error while allowing accounts and roles in Terraform for GCP
- (Terraform, GCP) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
- Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
- Terraform/GCP - "the user does not have permission to access Project"
- How to resolve "googleapi: Error 403: The caller does not have permission, forbidden"
- Terraform GCP vm instance create - Error 403
- Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account
- Terraform GCP - Error waiting for Setting usage export bucket.: Required 'read' permission for 'gcp-bucket'