Reputation:
Getting error while allowing accounts and roles in Terraform for GCP
I am trying to allocate the roles to the user in the Terraform file in a GCP project, but I am getting the below error :
Error: Request "Create IAM Members roles/compute.networkAdmin user:[email protected] for "project \"vibrant-mantis-296207\""" returned error: Batch request and retried single request "Create IAM Members roles/compute.networkAdmin user:[email protected] for "project \"vibrant-mantis-296207\""" both failed. Final error: Error applying IAM policy for project "vibrant-mantis-296207": Error setting IAM policy for project "vibrant-mantis-296207": googleapi: Error 403: Policy update access denied., forbidden
I used the below piece of code :
module "projects_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 6.4"
projects = ["vibrant-mantis-296207"]
bindings = {
"roles/storage.admin" = [
"user:[email protected]",
]
"roles/compute.networkAdmin" = [
"user:[email protected]",
]
Upvotes: 6
Views: 23099
Answers (4)
Reputation: 51
Privileged Access Manager Project Service Agent roles/privilegedaccessmanager.projectServiceAgent can help and have minimal permission:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.setIamPolicy
Upvotes: 0
Reputation: 1626
Found this via google because I got
Error:
Request `Create IAM Members roles/artifactregistry.reader
serviceAccount:mvp-service-account@[[project]].iam.gserviceaccount.com for project "[[project]]"` returned error:
Error retrieving IAM policy for project "[[project]]":
googleapi: Error 403: The caller does not have permission, forbidden
Turns out, I had a typo in my project name and got the error due to this. Hope this helps anyone.
Upvotes: 0
Reputation: 442
On the Google Cloud Platform go to IAM, in IAM & Admin select your terraform service yourproject.iam.gserviceaccount.com and add/change the role to Owner.
In the console, run your terraform command(s) again and it should be fixed.
Commands:
terraform init
terraform plan
terraform apply
Upvotes: -2
Reputation: 81464
The user/service-account that Terraform is using for authorization does not have the permission resourcemanager.projects.setIamPolicy.
The solution is to edit the IAM permissions for the user/service-account to include a role which as that permission.
Example roles with the permission resourcemanager.projects.setIamPolicy:
- roles/iam.securityAdmin
- roles/resourcemanager.projectIamAdmin
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.organizationAdmin
Granting, changing, and revoking access to resources
Upvotes: 25
Related Questions
- (Terraform, GCP) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
- IAM permission denied for service account <service-account-name>@<project-name>.iam.gserviceaccount.com
- Can't use GCP IAM API with a service account
- Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
- Unable to create google group with Terraform resource google_cloud_identity_group
- gcp google_project_iam_member gives invalid argument message on terraform
- How to resolve "googleapi: Error 403: The caller does not have permission, forbidden"
- Terraform google_proejct_iam_member giving Error 400: Policy members must be of the form "<type>:<value>"., badRequest
- Cannot assign role using terraform and gcp provider, but works in UI
- How to properly create gcp service-account with roles in terraform