2

I'm trying to add a policy binding using Google deployment manager to my service account using the below yaml file, but when I tried to deploy it, I'm getting the "Permission denied" Exception.

resources:
    - name: test-name-deploy
      type: gcp-types/iam-v1:projects.serviceAccounts
      properties:
        accountId: accid123
        displayName: test-deploy
      accessControl:
        gcpIamPolicy:
          bindings:
          - role: roles/viewer
            members:
            - "serviceAccount:myservaccount"

>  message: '{"ResourceType":"gcp-types/iam-v1:projects.serviceAccounts","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission
    iam.serviceAccounts.setIamPolicy is required to perform this operation on service

I have given "OWNER" permission for the account. Still I am getting the same. Thanks in advance.

Jofre
  • 3,718
  • 1
  • 23
  • 31
snithi
  • 23
  • 4
  • The IAM identity that Deployment Manager is running as does not have the required permission `iam.serviceAccounts.setIamPolicy`. That permission is part of `roles/iam.serviceAccountAdmin` and `roles/iam.securityAdmin`. Double-check how you are authorization Deploment Manager (service account or ADC) and what roles are assigned to that identity. – John Hanley Apr 24 '21 at 18:25
  • Hi John Hanley, Thanks for your reply. I gave both the permissions, still I am getting the same "PERMISSION DENIED" exception. – snithi Apr 26 '21 at 05:22
  • What identity is Deployment Manager using? If you are getting the same error, you added the permissions to the wrong identity. – John Hanley Apr 26 '21 at 17:35
  • I am using my user account and gave permissions to the same(That mail id is the one displayed when i run "gcloud auth list" command). I am assigning the new role to another service account which i gave in the script. I tried with "Owner" permission too. Hope I answered your question in the right sense. Thanks again for your reply. – snithi Apr 26 '21 at 17:53

1 Answers1

1

Deployment Manager uses the Google APIs Service Account to call other Google APIs and manage Google Cloud resources on your behalf. You can find the account under IAM as [PROJECT_NUMBER]@cloudservices.gserviceaccount.com which by default has an Editor role. However, to assign IAM policies to the resources this account needs an owner role.So, grant your project's Google APIs service account with the owner role.

You can refer to the link below for more details.

https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources#granting_permis

You can additionally refer the policy troubleshooting guide referred below https://cloud.google.com/iam/docs/troubleshooting-access#troubleshooting_access

I have tested this in my project and it worked for me.

Abiramavalli Gopu
  • 83
  • 3
  • Thank you @Abiramavalli Gopu, I got it sorted out. But the solution is same. Your answer is what worked. – snithi May 14 '21 at 11:35