Reputation: 11
GCP SERVICE_ACCOUNT_ACCESS_DENIED when trying to deploy instance with deployment manager
I am new to the google cloud platform deployment manager and i am trying to deploy an instance that has the service account attached along with the necessary api's that i needed. my code to attach the service account along with the api's within the instance template is as follows:
- email: <[email protected]>
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
After executing the code to deploy my instance i run into the following error message:
- code: RESOURCE_ERROR
location: /deployments/gcpnetwork/resources/instance name
message: "{\"ResourceType\":\"compute.v1.instance\",\"ResourceErrorCode\":\"SERVICE_ACCOUNT_ACCESS_DENIED\"\
,\"ResourceErrorMessage\":\"The user does not have access to service account '<[email protected]>'.\
\ User: '[email protected]'. Ask a project owner\
\ to grant you the iam.serviceAccountUser role on the service account\"}"
I have assigned the appropriate permissions for both service-account and service account user under the I AM-IAM & Admin console with no luck of winning. I am also the project owner and have full access to all GCP resources. Is there anything that i am missing or doing wrong? I also tried to impersonate the service account but still not working, please help clarify this.
Upvotes: 0
Views: 2127
Answers (2)
Reputation: 11
I managed to find a way around the problem without going through the IAM user role as the error was suggesting. The error was caused by trying to attach the service account directly within the deployment manager's instance template. This causes the deployment manager to think you are trying to create a new service account when the instance is deployed which was not case, since I was trying to use the default service account within the existing project. So by attaching the service account email directly this way:
- email: <[email protected]>
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
causes an error. the work around was using the value email: default along with the scope list to solve the issue:
- email: default
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
This allows the deployment manager to choose the default service account within the existing project. Also note that having the scope - https://www.googleapis.com/auth/cloud-platform within the scope list gives you access to all instance api's. So by removing - https://www.googleapis.com/auth/cloud-platform from the scope list and using it this way:
- email: default
scopes:
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
was what I needed since I did not want access to all the instance api's. But if you want access to all instance api's, you only need to specify the default value with the cloud-platform scope this way:
- email: default
scopes:
- https://www.googleapis.com/auth/cloud-platform
I hope this is clear enough and helps anyone who comes across the same issue.
Upvotes: 0
Reputation: 81356
The identity that you are using to create the instance does not have the role roles/iam.serviceAccountUser. This role is required to create and manage instances that use a service account.
Upvotes: 1
Related Questions
- GCP Managed Service Account is not created (for Cloud Asset API)
- Service Account does not exists on GCP
- GCP IAM: Binding role to Service Account fails
- service account permission issue while deploying cloud function
- Permission denied when creating GCP Service Account Key
- Unable to add iam policy binding to service account using Google deployment manager
- GCP deployment manager, error when trying to assign roles to users groups or service accounts
- Error when trying to create a serviceaccount key in deployment manager
- Permission Denied - GCP Cloud Resource Manager setIamPolicy
- GCP Deployment Manager: 403 does not have storage.buckets.get access