1

I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:

google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")

But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:

googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)

Falis with:

Service accounts cannot create project without a parent.

So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)

Update: I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:

 Encountered 403 Forbidden with reason "forbidden"
 User is not authorized.

So the problem persists.

Irribarra Cristián
  • 107
  • 13

1 Answers1

2

You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.

The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.

There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.

There are other types of access to cloud services such as API Keys, but these do not apply to your issue.

Quickstart Using Organizations

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks a lot, if then I setup an organization, activate the APIs via gcloud shell, and set up the billing as in: https://developers.google.com/resources/api-libraries/documentation/cloudbilling/v1/python/latest/cloudbilling_v1.projects.html should it work? – Irribarra Cristián Dec 11 '18 at 13:40
  • Yes, except that once you enable orginanizations, there more more sets of permissions that you need at the `org` level. – John Hanley Dec 11 '18 at 21:51