Permission error for roles/resourcemanager.projectCreator in Google Cloud Build Trigger

Question

I want to use Google Cloud Build Trigger to execute Terraform processing. And, I want to create a Firebase project using Terraform. However, a Build Trigger error is occurring as bellow.

Step #2 - "terraform apply": │ Error: error creating project *********** (Project Display Name): googleapi: Error 403: Service accounts cannot create projects without a parent., forbidden. If you received a 403 error, make sure you have the roles/resourcemanager.projectCreator permission

The error means that the service account running Cloud Build does not have the permission roles/resourcemanager.projectCreator.

Below is main.tf for terraform.

# Terraform configuration to set up providers by version.
terraform {
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 4.0"
    }
  }
}

# Configures the provider to use the resource block's specified project for quota checks.
provider "google-beta" {
  user_project_override = true
}

# Configures the provider to not use the resource block's specified project for quota checks.
# This provider should only be used during project creation and initializing services.
provider "google-beta" {
  alias = "no_user_project_override"
  user_project_override = false
}



# Creates a new Google Cloud project.
resource "google_project" "default" {
  provider   = google-beta.no_user_project_override

  name       = "Project Display Name"
  project_id = "imatsusoft-project-new-prct5"
  # Required for any service that requires the Blaze pricing plan
  # (like Firebase Authentication with GCIP)
  billing_account = "*****-******-******"

  # Required for the project to display in any list of Firebase projects.
  labels = {
    "firebase" = "enabled"
  }
}

# Enables required APIs.
resource "google_project_service" "default" {
  provider = google-beta.no_user_project_override
  project  = google_project.default.project_id
  for_each = toset([
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "firebase.googleapis.com",
    # Enabling the ServiceUsage API allows the new project to be quota checked from now on.
    "serviceusage.googleapis.com",
  ])
  service = each.key

  # Don't disable the service if the resource block is removed by accident.
  disable_on_destroy = false
}

# Enables Firebase services for the new project created above.
resource "google_firebase_project" "default" {
  provider = google-beta
  project  = google_project.default.project_id

  # Waits for the required APIs to be enabled.
  depends_on = [
    google_project_service.default
  ]
}

# Creates a Firebase Android App in the new project created above.
resource "google_firebase_android_app" "default" {
  provider = google-beta

  project      = google_project.default.project_id
  display_name = "My Awesome Android app"
  package_name = "awesome.package.name"

  # Wait for Firebase to be enabled in the Google Cloud project before creating this App.
  depends_on = [
    google_firebase_project.default,
  ]
}

Therefore, I executed the following command to grant permission to this service account:

gcloud projects add-iam-policy-binding sample-project-1354w23 --member serviceAccount:**********@cloudbuild.gserviceaccount.com --role roles/resourcemanager.projectCreator

The following error message appeared, indicating that permission could not be granted to this service account.

ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/resourcemanager.projectCreator is not supported for this resource.

I've confirmed that the GCP project belongs to the organization, but I'm still encountering the same error. I'd like to seek assistance regarding this issue.

Permission error for roles/resourcemanager.projectCreator in Google Cloud Build Trigger

Answers (1)

Related Questions