Reputation: 150
Import of existing Firebase Project into Terraform State receiving 403 error
While migrating our existing infrastructure into an "Infrastructure as Code" Setup, we also needed to import an existing Firebase Project.
Following the instructions from the GCP beta Terraform provider. The following snippet was added to the corresponding terraform module.
resource "google_firebase_project" "default" {
provider = google-beta
project = "my-project-id"
}
The Import of the existing Firebase project was initiated by running the command
terraform import google_firebase_project.default my-project-id
This led to the following output:
google_firebase_project.default: Importing from ID "my-project-id"...
google_firebase_project.default: Import prepared!
Prepared google_firebase_project for import
google_firebase_project.default: Refreshing state... [id=projects/my-project-id]
Error: Error when reading or editing FirebaseProject "projects/my-project-id": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebase.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.
The error was obtained running Terraform with a Service Account or using a end user account to impersonate a service account. All identities had Owner permissions on the corresponding GCP project.
Upvotes: 4
Views: 945
Answers (1)
Reputation: 7232
Your error message is not directly related to your usage of firebase terraform resources, but rather to the fact that you can not talk to the firebase APIs with a human user. Instead you should create a service account, e.g. called terraform, give it the permissions needed to create firebase resources and give your user the permission to impersonate the service account.
Then you need to configure your GCP provider like so
provider "google" {
impersonate_service_account = "[email protected]"
}
provider "google-beta" {
impersonate_service_account = "[email protected]"
}
It can be advisable to create a single terraform service account in a shared project and use it to create all other resources through terraform. See also https://github.com/terraform-google-modules/terraform-google-bootstrap for this pattern.
Upvotes: 1
Related Questions
- Terraform: googleapi: Error 403: Permission denied on resource project
- Error when creating the firebase project using terraform
- Error setting up Cloud Storage terraform backend: "Error impersonate: status code 403: The caller does not have permission"
- Create Firebase Project using Terraform
- importing gcp resource into terraform fails even if the resource exists
- Terraform auth problem with the google_firebase_project resource
- Terraform/GCP - "the user does not have permission to access Project"
- How to resolve "googleapi: Error 403: The caller does not have permission, forbidden"
- Terraform GCP vm instance create - Error 403
- Terraform import app engine failed due to 403