GCP project creation via deploymentmanager

3
votes

So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

Error messageļ¼š

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles

Except that doesn't seem to be the case, whats going on ?

Edit

Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).

You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)

screenshot

Edit-2

config.yaml

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types/project/* is an exact copy of the templates found here:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project

1
google-cloud-platformgoogle-deployment-manager
You need resourcemanager.projects.create. Or a predefined role: roles/owner or roles/editor. You need the permission either at the Organization or Folder level. - John Hanley
Heya, I have assigned it the Project Creator role at the organizational level; which should grant resourcemanager.projects.create at all the inherited resources (Folder1 and all projects underneath) - i can see that permission reflected correctly. - Chronojam
difficult to tell without having seen the (redacted) config.yaml. for reference, here it's explained in detail. - Martin Zeitler
Hiya Martin, thanks for the link i was already following instructions from the same repo (but in a different location - they appear to be more or less the same); Ive added the redacted config.yaml and a link to the project templates im using - Chronojam
where did you execute your deploy code ? cloudshell or your local shell ? - howie

1 Answers

2
votes

The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.

Lousy error message, lots of wasted developer hours !