Cannot assign role using terraform and gcp provider, but works in UI

Question

Trying so assign a created role to a GCP service account which then is used as a workload identity for a k8s deployment.

Terraform:

resource google_project_iam_custom_role sign_blob_role {
  permissions = ["iam.serviceAccounts.signBlob"]
  role_id     = "signBlob"
  title       = "Sign Blob"
}

resource google_service_account_iam_member document_signer_workload {
  service_account_id = module.document_signer_service_accounts.service_accounts_map.doc-sign.name
  role               = "roles/iam.workloadIdentityUser"
  member             = local.document_sign_sa
}

module document_signer_service_accounts {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "~> 3.0"
  project_id    = var.gcp_project_name
  prefix        = "doc-sign-sa"
  names         = ["doc-sign"]
  project_roles = [
    "${var.gcp_project_name}=>roles/viewer",
    "${var.gcp_project_name}=>roles/storage.objectViewer",
    "${var.gcp_project_name}=>roles/iam.workloadIdentityUser",
    "${var.gcp_project_name}=>${google_project_iam_custom_role.sign_blob_role.name}"
  ]
  display_name  = substr("GCP SA bound to K8S SA ${local.document_sign_sa}. Used to sign document.", 0, 100)
}

Error:

Error: Request "Create IAM Members roles/signBlob serviceAccount:staging-doc-sign@********************.iam.gserviceaccount.com for \"project \\\"********************\\\"\"" returned error: Error applying IAM policy for project "********************": Error setting IAM policy for project "********************": googleapi: Error 400: Role roles/signBlob is not supported for this resource., badRequest

  on .terraform/modules/document_signer_service_accounts/main.tf line 46, in resource "google_project_iam_member" "project-roles":
  46: resource "google_project_iam_member" "project-roles" {

When I do the same action on the UI though, it allows me to assign the role.

What am I doing wrong here?

Answer 1

It seems that it could be a problem in the way you are calling the custom role. "${var.gcp_project_name}=>${google_project_iam_custom_role.sign_blob_role.name}"

The custom role already belongs to the project, so it is not necessary to specify ${var.gcp_project_name}

So, the code should be something like:

project_roles = [
    "${var.gcp_project_name}=>roles/viewer",
    "${var.gcp_project_name}=>roles/storage.objectViewer",
    "${var.gcp_project_name}=>roles/iam.workloadIdentityUser",
    "${google_project_iam_custom_role.sign_blob_role.name}"
  ]

Edit 1

According to this documentation

This is the basic usage of the module service-accounts

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "~> 2.0"
  project_id    = "<PROJECT ID>"
  prefix        = "test-sa"
  names         = ["first", "second"]
  project_roles = [
    "project-foo=>roles/viewer",
    "project-spam=>roles/storage.objectViewer",
  ]
}

I think there should be something wrong with the reference to the attribute from your resource.

Nevertheless I have found a github repository that contains some good examples on how to add a custom role to a Service Account:

# https://www.terraform.io/docs/providers/google/r/google_project_iam.html#google_project_iam_binding

resource "google_project_iam_binding" "new-roles" {
role = "projects/${var.project_id}/roles/${google_project_iam_custom_role.new-custom-role.role_id}"
members = ["serviceAccount:${google_service_account.new.email}"]
}

I think you might find it useful to complete this task.