2

had some trouble creating a service account and assigning roles to it. Initially I based my code on this example however I couldn't get it to work because while it does create the service account it does not assign roles to it. So I looked around on stackoverflow and found this answer which does work.

Pasted below is the content of Jinja file responsible for creating the service-account that doesn't work. What I expect it do is is create a service account and then assign pubsub.editor and dataflow.developer roles to it.

I don't understand why the code below doesn't work so I'm hoping someone can explain what is wrong with it.

{# Service account creation #}
resources:
- type: gcp-types/iam-v1:projects.serviceAccounts
  name: {{ env['name'] }}
  properties:
    accountId: {{ env['name'] }}
    displayName: serviceAccount-{{ env['name'] }}
  accessControl:
    gcpIamPolicy:
    bindings:
    - role: roles/dataflow.developer
      members:
      - "serviceAccount:myaccount-sa@myproject.iam.gserviceaccount.com"
    - role: roles/pubsub.editor
      members:
      - "serviceAccount:myaccount-sa@myproject.iam.gserviceaccount.com"
FunkyCode
  • 21
  • 3
  • 1
    Did you try the sample template in [this answer](https://stackoverflow.com/questions/48710548/google-deployment-manager-assigning-iam-policies-at-project/49416120#answer-49416120) ? Please try same template as that. After deploying, what error do you see in your Deployment console ? Furthermore, please make sure your Deployment Manager has the permission to set IAM policies; you can follow [this document](https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources#granting_deployment_manager_permission_to_set_iam_policies). – mehdi sharifi Feb 11 '19 at 21:35
  • I have followed the template that you mentioned and that one works. Using the code in my original questions does create the service-account but it doesn't assign any of the roles to it. It doesn't produce any errors unfortunately. – FunkyCode Feb 12 '19 at 09:52
  • Please check [Access control](https://cloud.google.com/deployment-manager/docs/access-control#access_control_for_deployment_manager) for Deployment Manager . The corresponding service account should have the appropriate roles to accomplish your task. – mehdi sharifi Feb 12 '19 at 22:15
  • The cloudservices.gserviceaccount.com is owner of the project so that should be fine. The account that I'm using to deploy the deployment is also set to owner of the project so that can't be the issues either. – FunkyCode Feb 13 '19 at 09:10
  • The thing that I don't understand is that in the [example](https://stackoverflow.com/questions/48710548/google-deployment-manager-assigning-iam-policies-at-project/49416120#49416120) you said it does work, they use this syntax "... gcpIamPolicyPatch: ... add: ..." , however your syntax is different. Please use same structure and let's see if that helps. – mehdi sharifi Feb 14 '19 at 21:23

0 Answers0