Error 403: Storage objects forbidden in GCP

Question

I’m trying to create all new sandbox project in GCP for easy deployment and upgrade project. Using Terraform I am creating a GKE cluster. Issue is, the terraform scripts are written for the service accounts of a project named let’s say NP-H. Now, I am trying to create clusters using the same scripts in a project named let’ say NP-S.

I ran Terraform init and experiencing an

error 403: XXX.serviceaccount does not have storage.object.create access to google cloud storage objects., forbidden. storage: object doesn’t exist. Now, is the problem with Terraform script or service account permissions?

If it is Terraform script, what are the changes I need to make?

PS: I was able to create a buckets and upload them to cloud storage…

Where are you running your terraform script? – guillaume blaquiere Nov 23 '21 at 08:15 — guillaume blaquiere, Nov 23 '21 at 08:15

score 0 · Answer 1 · answered Nov 22 '21 at 23:23

0

Two ways you can store credentials:

provider "google" {
  credentials = file("service-account-file.json")
  project = "PROJECT_ID"
  region  = "us-central1"
  zone    = "us-central1-c"
}

or

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

Make sure service account is from project ID NP-S, Menu > IAM & admin > service account, and has proper permissions: Menu > IAM & admin > IAM > ...

cat service-account-file.json

and make sure it is the email from correct project ID. You can do a quick test with owner/editor role to isolate the issue if need be as those role have most permissions.

answered Nov 22 '21 at 23:23

dany L

2,456
6
12

2

Service account key file is a bad practice. Prefer service account impersonation when your environment context allow its use – guillaume blaquiere Nov 23 '21 at 08:15
@guillaumeblaquiere ty for tip learnt something today. Saw this and it was a good read: https://medium.com/google-cloud/a-hitchhikers-guide-to-gcp-service-account-impersonation-in-terraform-af98853ebd37 – dany L Nov 23 '21 at 13:55
Thank you for the help. I am wondering, what could be our options, if we have do not have service account permission? – Vikram Nov 23 '21 at 16:23

score 0 · Answer 2 · answered Jun 22 '22 at 16:13

If you're using service account impersonation, do this :

terraform {
  backend "gcs" {
    bucket                      = "<your-bucket>"
    prefix                      = "<prefix>/terraform.tfstate"
    impersonate_service_account = "<your-service-account>@<your-project-id>.iam.gserviceaccount.com"
  }
}

Source : Updating remote state files with a service account

Error 403: Storage objects forbidden in GCP

2 Answers2