Reputation: 1444
GCP Managed Service Account is not created (for Cloud Asset API)
I have enabled the API Cloud Asset API (cloudasset.googleapis.com), but It didn't create the GCP managed service account service-{projectNumber}@gcp-sa-cloudasset.iam.gserviceaccount.com. I have read it at multiple place that GCP is suppose to create that account.
I have tried to enable/disable the API multiple times but still no luck.
If anyone knows the workaround, Please let me know :-)
Upvotes: 6
Views: 5848
Answers (5)
Reputation: 1
Just dealt with this problem in Dec 2024. Had enabled cloudasset API and was trying to create a feed in Terraform. Adding the service account with gcloud beta services identity create didn't work. The CLI said it was created, but it still didn't appear in the list of SAs in either CLI or Console.
Instead, you have to give it the necessary permissions for it to appear in the list of SAs. Presumably, any SA will only appear when it has at least one permission, but the cloud asset SA isn't set up correctly by GCP by default.
Use the member email that appears in the error you get from GCP when trying to enable the feed.
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member="${member_email}@gcp-sa-cloudasset.iam.gserviceaccount.com" --role="roles/cloudasset.serviceAgent"
Upvotes: 0
Reputation: 905
Apart from running the command provided in the accepted answer I had to do the following:
- Go to IAM and check 'Include Google-provided role grants'
- Search for 'gcp-sa-cloudasset.iam.gserviceaccount.com'. Click on edit image and the role Storage Object Admin role If it doesn't have it.
Upvotes: -1
Reputation: 9
Having a similar problem, I could see the service account in the form of service-{projectNumber}@gcp-sa-cloudasset.iam.gserviceaccount.com was indeed created, but I could not assign a role to it, as I got this confusing (wrong) error you got (mail addresses and domains must be associated with an active Google Account, G Suite account, or Cloud Identity account.).
I discovered there is a new policy in town that prohibits the use of cross-project service account permissions: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_cross_project_service_accounts.
gcloud beta resource-manager org-policies disable-enforce iam.disableCrossProjectServiceAccountUsage --organization <org_id> should solve it.
Upvotes: 0
Reputation: 665
The documentation should be updated, but the service account is not created when you activate the API, but when you run an export. So if you run an export of the assets, the service account will appear.
If, for a reason, you can't run an export (e.g. when you want to create an asset feed to monitor for changes), you can run the following command:
gcloud beta services identity create --service=cloudasset.googleapis.com --project=PROJECT_ID
In Terraform, I created a null_resource that does the trick.
Upvotes: 16
Reputation: 75970
It exists! But it has no permission. Simply go to IAM page, click on +ADD. Fill the email with the Cloud Asset service account email: service-{projectNumber}@gcp-sa-cloudasset.iam.gserviceaccount.com. And add it, at least the role Cloud Asset Service Agent. Save.
Upvotes: 3
Related Questions
- Service Account does not exists on GCP
- Can't use GCP IAM API with a service account
- gcloud iam service-accounts add-iam-policy-binding ... NOT_FOUND: Unknown service account
- Permission denied when creating GCP Service Account Key
- GCP IAM REST API Service account key issue
- GCP: Compute Engine Default Service Account missing
- GCP service Account Authentication
- GCP SERVICE_ACCOUNT_ACCESS_DENIED when trying to deploy instance with deployment manager
- Error while creating service account in GCP via SDK
- Unable to create key file for iam account GCP using gcloud