Terraform GCP vm instance create - Error 403

1
votes

this is my first try to create VM on GCP Through terraform. here are the 2 files which i created.

provider.tf

provider "google" {
credentials = "${file("xxxxxx.json")}"
project = "project-1-200623"
region = "us-central1"
}

compute.tf

# Create a new instance
resource "google_compute_instance" "default" {
   name = "test"
   machine_type = "n1-standard-1"
   zone = "us-central1-a"
   boot_disk {
      initialize_params {
      image = "debian-cloud/debian-8"
   }
}
network_interface {
   network = "default"
   access_config {}
}

service_account {
   scopes = ["userinfo-email", "compute-ro", "storage-ro"]
   }
}

I am getting below error:

Error: Error applying plan:

1 error(s) occurred:

* google_compute_instance.default: 1 error(s) occurred:

* google_compute_instance.default: Error loading zone 'us-central1-a': googleapi: Error 403: Required 'compute.zones.get' permission for 'projects/project-1-200623/zones/us-central1-a', forbidden.

In

itially i thought some syntax issue with vm image but even after changing to multiple others same issue. service account has owner permissions on project so thats i can rule out. can some one please help me here..

Appreciate the help !

3
google-cloud-platformterraformterraform-provider-gcp
What IAM roles does your user have for this project?Henry Dobson
editor role before but changed to project owner still same result.latech
In that case, are the necessary apis enabled for the project? You can do this with terraform terraform.io/docs/providers/google/r/… or experiment with the console to see first.Henry Dobson
Hi Henry, thank you for input. compute, network and IAM few other apis are enabled and bunch others. Not sure if any specific req. any chance do you specific code which is working for you ?latech
Can you share the output from: gcloud services list and confirm the provider identity is the same as the user you say has owner permissions?Henry Dobson

3 Answers

1
votes

Terraform needs the organization admin permission

this is the steps to add this permission:

  1. Sign in to the Google Cloud Console as a Google Workspace or Cloud Identity super administrator and navigate to the IAM & Admin page: go to the admin page

2.Select the organization you want to edit:

a. Click the project drop-down list at the top of the page.

b. In the Select from dialog, click the organization drop-down list, and select the organization to which you want to add an Organization admin.

c. On the list that appears, click the organization to open its IAM Permissions page.

  1. Click Add, and then enter the email address of one or more users you want to set as organization administrators.

4.In the Select a role drop-down list, select Resource Manager > Organization Administrator, and then click Save.

The Organization admin can do the following:

  • Take full control of the organization. Separation of responsibilities between Google Workspace or Cloud Identity super administrator and Google Cloud administrator is established.

  • Delegate responsibility over critical functions by assigning the
    relevant IAM roles.

I recommend you create a different service account to keep your projects separate, you can check how to create your service account here

0
votes

I’m with Paula. Double check you provider credentials. There’s nothing wrong with this code.

0
votes

faced same issue. I assigned following roles and it worked. Compute Admin, Compute Instance Admin, Service Account, Service Account Admin