0

I manage my Google Cloud resources through terraform. I was initially planning and applying the changes locally, authenticating with my personal email, and everything worked fine.

I am using resource "google_cloud_run_domain_mapping" "..." a couple of times. The domain I am using there was bought through Google too, and I used my personal email to do so, so my email is a verified owner of such domain.

I just migrated all my terraform state to Terraform Cloud, and, as a good practice, created a new service account called terraform@my-project.iam.gserviceaccount.com with enough permissions to manage all my resources, and that service account key is the one I used in Terraform Cloud to authenticate to Google. In short, all resource changes are executed through the service account terraform@..., instead of my personal email myEmail@gmail.com.

The resource "google_cloud_run_domain_mapping" is now failing with the following error:

Error: Error waiting to create DomainMapping: resource is in failed state "Ready:False", message: Caller is not authorized to administer the domain 'my-domain.com'.

I don't know how to make this work.

My attempts:

1. Add the service account as a user of the domain through Google Registrar

In the page https://domains.google.com/registrar/my-domain.com/settings, in the Registration Settings > Domain Permissions I see the following message, instead of an option to add a new user:

Domain permissions for my-domain.com are managed by Cloud Domains.

2. Add the service account as a user of the domain through Cloud Domains

In my Google Cloud project, in the page https://console.cloud.google.com/net-services/domains/registrations/list?project=my-project, I can't see an option to add the service account to the domain.

3. Add the "owner" role to the service account.

I added the role "Owner", which is too permissive, to the service account and tried applying the terraform plan again, but the error was the same. (Maybe I need to wait for the change to come into effect?)

4. ChatGPT suggested me to add my personal email as a member of the service account

I couldn't find where to do that, but I am also not sure how that would help, because authentication would still be coming from terraform@...

The final goal is to manage my resource "google_cloud_run_domain_mapping" through Terraform Cloud in a safe way, hopefully using this new service account for authentication. Any guidance is greatly appreciated!

EmmanuelB
  • 1,236
  • 9
  • 19
  • 1
    From the details of your post, it appears that your domain is managed by Google Cloud Domains and not Google Domains. That is important to verify. Access to Cloud Domains is managed by Cloud IAM. If you added the IAM role `Owner` to the service account, that service account would have the necessary permissions to interact with Cloud Domains. Therefore, you are either confused about where your domain is managed or you are not using the correct principal (service account) for your Terraform code. Edit your post and show the Terraform HCL that you are using. – John Hanley Jul 18 '23 at 19:01
  • 1
    Another possibility is that the domain `ownership` is not verified for Cloud Run for the service account. See this [documentation](https://cloud.google.com/run/docs/mapping-custom-domains#add-verified). – John Hanley Jul 18 '23 at 19:04
  • SO is a programming Q&A platform and this question is not about programming. Questions about operating systems, their utilities, networking and hardware, are off topic. [What topics can I ask about here?](https://stackoverflow.com/help/on-topic). Please delete this – Rob Aug 13 '23 at 15:01
  • @rob - the question was a Terraform programming question with code but with the last edit the code was removed. – John Hanley Aug 13 '23 at 15:47

1 Answers1

0

Adding the solution here, greatly impacted by John Hanley.

The solution was to go to the search console here https://search.google.com/search-console/ownership, choose the desired domain, add the given service account as a new user, and provide OWNER permissions to it. Note that Full permissions did not work.

More documentation here.

EmmanuelB
  • 1,236
  • 9
  • 19