3

So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

Error message:

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles

Except that doesn't seem to be the case, whats going on ?

Edit

Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).

You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)

screenshot

Edit-2

config.yaml

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types/project/* is an exact copy of the templates found here:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project

howie
  • 2,587
  • 3
  • 27
  • 43
Chronojam
  • 175
  • 1
  • 3
  • 13
  • 3
    You need `resourcemanager.projects.create`. Or a predefined role: `roles/owner` or `roles/editor`. You need the permission either at the Organization or Folder level. – John Hanley Mar 26 '19 at 23:22
  • Heya, I have assigned it the Project Creator role at the organizational level; which should grant resourcemanager.projects.create at all the inherited resources (Folder1 and all projects underneath) - i can see that permission reflected correctly. – Chronojam Mar 27 '19 at 10:49
  • difficult to tell without having seen the (redacted) `config.yaml`. for reference, [here](https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation) it's explained in detail. – Martin Zeitler Mar 29 '19 at 10:52
  • Hiya Martin, thanks for the link i was already following instructions from the same repo (but in a different location - they appear to be more or less the same); Ive added the redacted config.yaml and a link to the project templates im using – Chronojam Mar 29 '19 at 11:30
  • 1
    where did you execute your deploy code ? cloudshell or your local shell ? – howie Mar 29 '19 at 23:43
  • This was run locally, but I am able to reproduce in cloud shell too. – Chronojam Mar 31 '19 at 10:47
  • I saw this: `You should create a new project using the Cloud Console that will be used as your “Project Creation” project. The service account under which Deployment Manager runs needs powerful IAM permissions to create projects and manage billing accounts, hence the recommendation to create this special project and use it only for creation of other projects.` [here](https://cloud.google.com/blog/products/gcp/automating-project-creation-with-google-cloud-deployment-manager). Idk if that's your problem. but give it a try. – HelloThere Apr 03 '19 at 20:25
  • Hiya Deyi, thanks for the link. This is the pattern ive tried to follow; the seed project im referring too is just a project ive created manually and running deployment manager from. The service account its using [seed-account-id]@cloudservices.gserviceaccount.com has all the required permissions at the organizational level. I am able to use this seed project to create resources in other (precreated) projects - just not to create new projects themselves – Chronojam Apr 04 '19 at 11:02
  • If you're open to v2 it looks like there's a different sample here: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation – afed Apr 05 '19 at 04:00
  • Are you re-using the project ID of a project that is currently in a "30 day soft delete state?" I had the exact same error message due to this scenario. – ryanhos Apr 22 '19 at 15:13
  • Thanks ryanhos; I think that might've actually been the problem in this particular case (I can certainly believe i was deleting and attempting to recreate the same project). Unfortunately ive since had to ditch this effort for an alternative, so im not able to verify, however i will post an update here if i get a chance to attempt this again. – Chronojam Apr 23 '19 at 14:21

2 Answers2

2

The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.

Lousy error message, lots of wasted developer hours !

koma
  • 6,486
  • 2
  • 27
  • 53
0

Probably late, but just to share that I ran into similar issue today.Double checked every permission mentioned in the Readme for the serviceAccount under which the deployment manager job runs ({Seed-Project-Number}@cloudservices.gserviceaccount.com in the question), turned out that the Billing Account User role was not assigned contrary to what I thought earlier. Granting that and running it again worked.

slk
  • 45
  • 1
  • 7