4

I was trying to understand example given in google cloud samples present in this link

IAM Example

This example creates a service account, a VM, and a Pub/Sub topic. The VM runs as the service account, and the service account has subscriber access to the Pub/Sub topic, thereby giving services and applications running on the VM access to the Pub/Sub topic.

However when I am trying to deploy this example I am getting below error

The fingerprint of the deployment is a-v3HjAHciZeSLuE-vSeZw==
Waiting for create [operation-1525502430976-56b6fb6809800-dbd09909-c5d681b2]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1525502430976-56b6fb6809800-dbd09909-c5d681b2]: errors:
- code: RESOURCE_ERROR
  location: /deployments/test-dp/resources/my-pubsub-topic
  message: '{"ResourceType":"pubsub.v1.topic","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"User
    not authorized to perform this action.","status":"PERMISSION_DENIED","details":[],"statusMessage":"Forbidden","requestPath":"https://pubsub.googleapis.com/v1/projects/fresh-deck-194307/topics/my-pubsub-topic:setIamPolicy","httpMethod":"POST"}}'

It mentions that User doesn't have permission to perform this action. I am unable to understand which user it is mentioning about. Since I am the project owner and my account is the owner of project, I should be able to deploy a script which can set IAM policy for subscribing to a pubsub topic.

Might be my understanding is wrong above. Could somebody help to understand why this example is failing?

Also I hope if any additional configuration is needed for this example to run, it should be mentioned in README file. But there are no instructions.

Neeraj Kumar
  • 836
  • 1
  • 10
  • 29
  • Which user or service account is deploying through DM and does that user/account have the "setIamPolicy" permission? – Patrick W Jun 21 '18 at 00:21
  • @PatrickW user is the project owner and deployment manager is being executed from cloud shell. – Neeraj Kumar Jun 22 '18 at 23:24
  • I'm doing the same thing and getting the same error. Seems to be an issue setting the IAM policy in the "pubsub_topic.jinja" file. This might be an issue with the API, I had a similar weird error message when I tried to set IAM policy through REST using the IAM API. – Patrick W Jun 25 '18 at 18:56
  • I tried deploying it again this evening and now I'm no longer getting the 403 error. It might have been a transient issue. Either way the deployment now works with no change – Patrick W Jun 25 '18 at 23:45

1 Answers1

0
  • Make sure that APIs for all resources that you're trying to deploy are enabled.
  • Use gcloud auth list command to make sure that the account with enough permissions is the active one.
  • Use gcloud config list command to make sure that the default project or other settings are correct.
Kamran
  • 3,397
  • 26
  • 40
Mahmoud Sharif
  • 1,085
  • 6
  • 12
  • yes all things are checked and valid. Still its not working. – Neeraj Kumar Jun 26 '18 at 11:22
  • 1
    I’ve tested the deployment on my end. It worked for me. If it still doesn’t work on your end, it will have to be investigated. I would recommend that you create a new issue in the [Public Issue Tracker](https://developers.google.com/issue-tracker/guides/access-ui). – Mahmoud Sharif Jun 26 '18 at 23:27