1

Our project has enabled Cloud Asset Inventory API, I can view it from UI, but I get this permission error. I am the owner of the project.

➜ gcloud auth login
Your browser has been opened to visit:

    ---

You are now logged in as [myemail].

➜ gcloud asset export  --content-type resource --project xxx --output-path "gs://export-resources-t/resources_updated.yaml" --format=yaml
Export in progress for root asset [projects/xxx].
Use [gcloud asset operations describe projects/xxx/operations/ExportAssets/RESOURCE/530109afbb66bdaf2be325e11897c83c] to check the status of the operation.


➜ gcloud beta resource-config bulk-export --resource-format=terraform --path output --project xxx
Exporting resource configurations to [output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.
katrocitus
  • 45
  • 1
  • 6
  • I do have the IAM permissions to run the command. I am the owner of the project. – katrocitus Jun 30 '22 at 03:15
  • Probably this issue - https://stackoverflow.com/questions/72467083/gcp-auth-permission-denied-when-executing-cloud-asset-export#comment128019721_72467083 – katrocitus Jun 30 '22 at 03:26

2 Answers2

1

As per this case When the destination is in the same project, the user doesn't need to grant additional permission/role to the built-in service account, it is only needed when the destination is in a different project.

If this is not your issue then try using this method. i.e.,

For this service account you should add the role 'roles/cloudasset.serviceAgent' (which has all the required permissions).

Run this: gcloud beta services identity create --service=cloudasset.googleapis.com --project=<project number>

The above command will create the needed identity, then copy the name of the service account identity created and use it with the following command to grant the required role:

gcloud beta projects add-iam-policy-binding <project_name> --member='serviceAccount:[Service_Account]' --role='roles/cloudasset.serviceAgent

Please replace the [Service_Account] with the actual service account identity created in the first command.

After performing the above steps, you will be able to run thegcloud beta resource-config bulk-export --project=<project_name> --resource-format=terraform command.

For more information follow this doc.

Sai Chandra Gadde
  • 2,242
  • 1
  • 3
  • 15
  • # set $PROJECT_ID, $PROJECT_NUMBER `$ gcloud beta services identity create --service=cloudasset.googleapis.com --project $PROJECT_ID && gcloud beta projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:service-$PROJECT_NUMBER@gcp-sa-cloudasset.iam.gserviceaccount.com" --role='roles/cloudasset.serviceAgent' && gcloud alpha resource-config bulk-export --path=./ --resource-format=terraform --project $PROJECT_ID` – Hil Liao Oct 14 '22 at 17:04
1

How I was able to solve this problem. Firstly I have also enabled the cloud asset API via using the cloud console as well as using cloud SDK command below.

gcloud services enable cloudasset.googleapis.com

But still it was throwing me errors like this

ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.

So to resolve this I give my user account the following permissions:

  • Cloud Asset Owner (this one was the bad guy)
  • Storage Admin
  • Service Usage Admin

And just used the SDK command as usual and it started working.

I was taking full import of my project so for that I used this command.

gcloud beta resource-config bulk-export   --path=entire-tf-output   --project=$PROJECT_ID   --resource-format=terraform
Harsh
  • 81
  • 1
  • 2