Reputation: 19843
Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account
I have below terraform script, to create a new service account and make it owner. The scripts creates the service account, but it will throw an error on assigning role
resource "google_service_account" "pci_api_service_account" {
account_id = "pci-api"
display_name = "Api"
project = var.project_id
}
resource "google_service_account_iam_member" "pci_api_owner_binding" {
# service_account_id = "projects/pcb-poc-pci/serviceAccounts/[email protected]"
service_account_id = google_service_account.pci_api_service_account.name
role = "roles/owner"
member = "serviceAccount:${google_service_account.pci_api_service_account.email}"
depends_on = [
google_service_account.pci_api_service_account
]
}
and I already autheticated with infra-admin-sa service account by running
gcloud auth activate-service-account --project=pcb-poc-pci --key-file ~/sa/pcb-poc-pci-test-sa-94aa6c81d650.json
When I run terragrunt apply I get this error for the second script
Error: Error applying IAM policy for service account 'projects/pcb-poc-pci/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/pcb-poc-pci/serviceAccounts/[email protected]': googleapi: Error 403: Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/pcb-poc-pci/serviceAccounts/[email protected]., forbidden
These are the Roles of that service account
Based on google doc here and the error message, Service Account Admin should be enough, which my service account already have
Not sure what I missed
Upvotes: 4
Views: 8808
Answers (1)
Reputation: 19843
Solution 1
seems command line was not picking the correct credential/service account although I used gcloud auth activate-service-account command.
so I added this to my script
provider "google" {
credentials = file(var.service_account_file_path)
project = var.project_id
}
and now it's working fine
Solution 2
as per @John Hansley comments below
export GOOGLE_APPLICATION_CREDENTIALS=fullpath.json
then terraform will be picking that service account file and scripts will run successfully.
This method is preferred since less issue in CICD pipeline and other deveopers, to set terraform variables
Upvotes: 1
Related Questions
- Getting error while allowing accounts and roles in Terraform for GCP
- missing permission on "billingAccounts/XXXXXXXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create Terraform (GCP)
- (Terraform, GCP) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on
- IAM permission denied for service account <service-account-name>@<project-name>.iam.gserviceaccount.com
- Can't use GCP IAM API with a service account
- Using Terraform to create a service account with IAM roles
- How to solve Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account
- Terraform throws Error setting IAM policy for service account ... Permission iam.serviceAccounts.setIamPolicy is required
- How To Grant GCP Organization Level Permissions to Service Account via Command Line
- Cannot assign role using terraform and gcp provider, but works in UI