403 Error on Google Cloud DNS REST Api

0
votes

I am using the Google Cloud DNS REST API (with Ruby REST Client) and I am receiving a 403 error using my google service account. This works correctly when I use the cloud console admin under my personal admin account.

My service account has "owner" permissions so I would think that I should not receive a 403 error. 

{"response":"{
"error  ": {     "errors  ": 
 [    {       "domain":   "global  ",
   "reason  ":   "forbidden  ",
   "message  ":   "Forbidden  "    }   ],
 "code  ": 403,
"message ":   "Forbidden  "   }

Unfortunately this error does not shed any light on why I am receiving a 403.

1
restdnsgoogle-cloud-platform
Almost certainly user error with credentials. Can you validate the credentials at developers.google.com/apis-explorer/#search/dns/dns/v1?jarmod
I am not sure how to validate my service account credentials in that UI? I've successfully validated my personal credentials and it works fine. Agree that it is likely some credential error. Just not quite sure how to fix. I am able to launch Google Cloud instances using the same credentials just fine for example.Doug
Apologies, it looks like you can't easily use the API Explorer with service account credentials. Did you grant the relevant IAM roles to the service account?See cloud.google.com/compute/docs/access/….jarmod
Yes I have granted owner to the service account. ``` gcloud iam service-accounts get-iam-policy [email protected] bindings: - members: - serviceAccount:[email protected] role: roles/editor - members: - serviceAccount:[email protected] role: roles/iam.serviceAccountActor - members: - serviceAccount:[email protected] role: roles/owner ```Doug

1 Answers

1
votes

There are 2 "Owner" permissions that are available in Google Cloud IAM console.

The correct one is accessed by clicking:

IAM & Admin -> IAM -> [Your Service Account] -> (Roles Dropdown) -> Owner (Then Click Save)

The one that didn't help for me was at:

IAM & Admin -> Service Accounts -> [Your Service Account] -> Permissions -> Add Member -> (Type in service account) -> (Select Owner Role)

I think that second one doesn't work? Or doesn't do anything.