Permisson error creating project with GCP token, terraform and vault

Question

I want to create a GCP project with terraform using vault to get the token. I have the GCP secrets engine already configured and I ask vault within terraform to get the token; but when I run terraform to create the project, I get an error that says:

Error 403: Service accounts cannot create projects without a parent., forbidden. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
│ 
│   with module.gcp-project.google_project.project,
│   on .terraform/modules/gcp-project/main.tf line 6, in resource "google_project" "project":
│    6: resource "google_project" "project" {

I suppouse the problem is in roleset bindings of vault's token but I don't know which resource I have to put in roleset.

I tried with the resourcemanager.projectCreator role; but it always ask me for project name.

Should I give permission to all the organization? Because if I want to create new projects, if I put as resource a project that exists, I won't be able to create another project.

Thanks!!

Answer 1

You must create a GCP Organization resource and ensure your Vault GCP roleset is created in a project that lives inside the org (e.g. an "admin" project).

When you create the project creator roleset using terraform you need to grant it a role that has resourcemanager.projects.create permission. You can create the binding against the whole org, or an individual folder within the org. For example:

resource "vault_gcp_secret_roleset" "default" {
  backend      = var.gcp_secret_backend
  roleset      = var.roleset_name
  project      = var.project
  secret_type  = var.secret_type
  token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

  binding {
    resource = "//cloudresourcemanager.googleapis.com/folders/${var.folder_id}"

    roles = [
      "roles/resourcemanager.projectCreator",
      "roles/resourcemanager.projectMover",
      "roles/resourcemanager.projectDeleter",
    ]
  }
}