Error setting up Cloud Storage terraform backend: "Error impersonate: status code 403: The caller does not have permission"

Question

I am trying to set-up a terraform remote backend using GCP Cloud Storage. I first created a service account from the CLI:

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --display-name $SERVICE_ACCOUNT_NAME

And then added roles to it. From what I read in the Cloud Storage (GCS) docs, the roles/storage.objectAdmin role should give full rights over GCS objects:

gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/storage.objectAdmin

I have the following main.tf file:

terraform {
  required_version = "1.2.2"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "4.13.0"
    }
  }

  backend "gcs" {
  }

}

provider "google" {
  project = "project-sandbox"
  region  = "europe-west1"
  impersonate_service_account = "my-test-svc@project-sandbox.iam.gserviceaccount.com"
}

And here is my remote.backend file:

bucket = "my_example_sandbox_bucket_985gd5d"
prefix = "terraform/state"
impersonate_service_account = "my-test-svc@project-sandbox.iam.gserviceaccount.com"

However, when I run terraform init -backend-config=remote.backend, I get the following error:

Initializing the backend...
╷
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/my_example_sandbox_bucket_985gd5d/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": impersonate: status code 403: {
│   "error": {
│     "code": 403,
│     "message": "The caller does not have permission",
│     "status": "PERMISSION_DENIED"
│   }
│ }

I tried to give my service account more roles such as roles/iam.serviceAccountTokenCreator as the Terraform docs on using GCS as backend state this is required. However, the error persists. Is there a problem in my terraform somewhere? Or is there a role that I am missing? I could try giving it the owner role but that seems a bit extreme given it should only be needed for writing files to the bucket.

Answer 1

I solved the problem by putting service account to impersonate into block

• provider "google" {}

Previously I had it in

• backend "gcs" {}

It should be part of provider block. But for tofu plan to work witg backend reconfigure it must be also part of backend.conf

provider "google" {
  project = "projectxy"  # Replace with your GCP project ID, not project number
  impersonate_service_account = "my-sercvice-account@projectxy.iam.gserviceaccount.com"
  region  = "europe-west3"
}

Now impersonation works.

Answer 2

Please check the following:

1. The Organization Policy API needs to be enabled.
2. The Service Account needs to have an Organization Policy Administrator role at the organization level.
3. The Service Account User and Service Account Token Creator roles should be assigned to the principal account to impersonate a service account.
4. Your ADC (Application Default Credentials) needs to be configured for the same user as your terraform apply user/organization. If not, you could run gcloud auth application-default login again and recreate the ADC with the right user.