GCP service account can't read organisation or billing account

0
votes

I believe this is a permissions issue. I am trying to run terraform in Google Cloud Build, which uses Application Default Credentials under the hood in its builder image.

The credentials are the Cloud Build service account - simple enough.

In my terraform code, I have some data queries that load the current organisation and billing account data - and these are failing when I try to apply on Cloud Build.

I've given the service account Organization Admin, Project Owner and Project Billing Manager roles, and nothing seems to change it.

I thought maybe I could create an organization iam membership for the service account with admin role for it - but when I try to run it (locally, in my own gcloud terminal) I get 403 - The caller does not have permission, forbidden.

What am I missing here, is this a limitation of service accounts?

1
google-cloud-platformgoogle-cloud-build
At what level did you assign these permissions? For org level permissions you need to add them at the Org level. See Manage Resources under IAM & admin. - John Hanley
Using the google_organization_iam_member terraform resource. It's an organization-level iam membership in role 'roles/owner' (for debugging purposes, obviously) - Sebastian Nemeth
The strange thing is if I log in manually to GCP console and go to the organization's IAM page in browser, I also get 403. Could it be that I'm not the owner of G Suite, just an admin? - Sebastian Nemeth
G Suite does not determine permissions in GCP - you do not have permissions in GCP at the Org level. - John Hanley
How? I created the organization :D - Sebastian Nemeth

1 Answers

0
votes

So turns out that the G Suite organization and GCP organization are actually the same thing. Even though I'd activated GCP for the organization, I wasn't the owner, nor an admin.

Once my client gave me admin privileges to the organization, I was able to create the IAM roles I needed.