CODEWITHSUNDEEP
google-cloud-platformterraformvirtual-machineterraform-provider-gcp
y47999
y47999

Reputation: 53

Error when creating gcp vm instance via terraform

service account has all permission to create an vm instance (Service Account User, Project Owner, Project Editor). When I run terraform, this occurs:

│ Error: Error waiting for instance to create: The user does not have access to service account '[email protected]'.  User: '[email protected]'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account
│ 
│ 
│   with module.vm.google_compute_instance.icinga,
│   on modules/vm/main.tf line 23, in resource "google_compute_instance" "icinga":
│   23: resource "google_compute_instance" "icinga" {

enter image description here

Upvotes: 1

Views: 639

Answers (1)

John Hanley
John Hanley

Reputation: 81464

There is something wrong with how you have Terraform setup.

The error message includes the text The user does not have access to service account '[email protected]'.

The identity [email protected] is not a service account.

Once you have the credentials set up correctly, the identity that Terraform is using for authorization must have the role roles/iam.serviceAccountUser or similar. The role you select must have the permission iam.serviceAccounts.actAs.

Service Accounts Roles

Note: roles such as roles/compute.admin do not have the permission iam.serviceAccounts.actAs.

Terraform by default will look for the environment variable GOOGLE_APPLICATION_CREDENTIALS. That variable should point to the full path of a service account JSON key file.

Next, Terraform will look for the CLI/SDK credentials created by gcloud auth application-default login.

I prefer to specify the service account in the Terraform HCL (usually in a variables file).

provider "google" {
  project = "PROJECT_ID"
  credentials = "/path/to/service-account.json"
}

Upvotes: 4

Related Questions