0

I'm trying to export project assets with Google Cloud Asset Inventory and gcloud command (version 314.0.0) authenticated with a service account :

# 1. authenticate with service account my-service-account@$PROJECT_ID.iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=/path/to/my/key.json

# 2. export assets to BQ
gcloud asset export \
    --project=$PROJECT_ID \
    --bigquery-table=projects/$PROJECT_ID/datasets/$DATASET_ID/tables/$TABLE_ID \
    --output-bigquery-force \
    --content-type=resource

And got the following error :

ERROR: (gcloud.asset.export) User [my-service-account@$PROJECT_ID.iam.gserviceaccount.com] does not have permission to access project [$PROJECT_ID:exportAssets] (or it may not exist): The caller does not have permission

My service account have the following roles on $PROJECT_ID :

  • roles/cloudasset.viewer
  • roles/bigquery.jobUser
  • roles/bigquery.dataEditor

Note that gcloud asset export works when I'm logged with my own personal account, which have the same roles as my service account.

Adding --verbosity=debug flag to gcloud does not add additional info :

apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing https://cloudasset.googleapis.com/v1/projects/$PROJECT_ID:exportAssets?alt=json

with the following content :

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

I don't understand the difference between being logged with the service account (gcloud auth activate-service-account) and my own personal account (gcloud auth login), both should work since I have exactly the same permissions.

Any idea would be appreciated.

norbjd
  • 10,166
  • 4
  • 45
  • 80
  • Does the export work if you restrict the asset types with the `--asset-types` gcloud flag? Does it work if you give the service account permissions on storage and try the export to GCS instead of BQ? Just throwing some ideas on how to restrict the possible root causes of a permission error... – Jofre Oct 19 '20 at 09:23
  • @Jofre thanks for your comment. It does not work with `--asset-types` but it seems to work on GCS. I just needed to add `service-$PROJECT_ID_OF_BUCKET@gcp-sa-cloudasset.iam.gserviceaccount.com` as storage admin. I'll try to do the same with BigQuery. – norbjd Oct 19 '20 at 09:55
  • Yup, that issue seems documented here: https://cloud.google.com/asset-inventory/docs/faq#how_do_i_export_assets_to_tables_that_dont_belong_to_the_current_project – Jofre Oct 19 '20 at 11:12

1 Answers1

1

It is an opened investigation on this issue:

permission denied error when exporting asset to GCS or BigQuery

It seems that you have to impersonate the built-in service account service-xxxxxxxx@gcp-sa-cloudasset.iam.gserviceaccount.com and to add the Storage Admin role to it.

Also you will have to add the roles roles/bigquery.jobUser and roles/bigquery.dataEditor to the service account service-xxxxxxxx@gcp-sa-cloudasset.iam.gserviceaccount.com where xxxxxx is the project id.

marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • Thanks for your answer. In fact, I had to add `service-xxxxxxxx@gcp-sa-cloudasset.iam.gserviceaccount.com` (`xxxxxxxx` = project ID of my service account) the roles `roles/bigquery.jobUser` and `roles/bigquery.dataEditor`). Could you update your answer with that additional info so I can accept it ? Thanks. – norbjd Oct 19 '20 at 11:25
  • 1
    ok, I updated my answer. I am happy that your issue was solved. – marian.vladoi Oct 19 '20 at 11:32
  • also, service account is not auto-created. see here: https://stackoverflow.com/questions/63785247/gcp-managed-service-account-is-not-created-for-cloud-asset-api – Alexo Po. Jun 06 '22 at 13:18