Permission Denied - GCP Cloud Resource Manager setIamPolicy

1
votes

I am getting a 403 PERMISSION_DENIED response from GCP when running the deployment manager to create a deployment that creates a service account and sets IAM policy for it using the cloud resource manager API. Here is the setIamPolicy template for this:

{
        'resources': [
            {
                'name': context.env['name'],
                'action': 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy',
                'properties': {
                    'resource': context.properties['resource'],
                    'policy': {
                        'bindings': context.properties['bindings']
                    }
                }
            }
        ]
    }

Response from GCP:

'{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/[email protected]:setIamPolicy","httpMethod":"POST"}}'

FYI: The robot account ([email protected]) is given project owner permissions in IAM.

1
google-cloud-platformgoogle-deployment-manager
Where machine/device are you running this from? Project Owner permissions don't necessarily equal deployment permissions. You would need to add that role to that account. - anon

1 Answers

2
votes

The right way to do this is:

    {
        # Set the IAM policy by patching the existing policy with the
        # config contents.
        'name': policy_add_name,
        'action': 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy',
        'properties':
            {
                'resource': project_id,
                'policy': '$(ref.' + policy_get_name + ')',
                'gcpIamPolicyPatch': {
                    'add': policies_to_add,
                }
            }
    }