Can't add user for role/editor user via api in Google Cloud Platform

2
votes

I have been trying to use the api to add user of project editor in Google Cloud Platform.

API I use is Resource Manager API setIampolicy.

To Add user is using Google Apps Script.

PROCEDURE

  1. get current all policy on Google Cloud Platform by using [Resource Manager API getIampolicy].
  2. add user and fix 1.response json.
  3. post 2.json using [Resource Manager API setIampolicy].

https://cloud.google.com/resource-manager/reference/rest/v1/projects/getIamPolicy

https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy

but, I can't add user. With the below Error/Exception:

{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT",
    "details": [
      {
        "@type": "type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError",
        "type": "SOLO_REQUIRE_TOS_ACCEPTOR",
        "role": "roles/owner"
      }
    ]
  }
}

Other information I can do by [Try it!] of documents, but can't do by Google Apps Script.

I use OAuth Library of Google Apps Script and OAuth Authentication.

Why?

2
javascriptgoogle-apps-scriptgoogle-cloud-platformgoogle-cloud-iam
You cannot programmatically make users owner who have not accepted the terms of services for Google Cloud Platform. Make sure the user either accepted the ToS or use an organization (where both the project and user are part of the organization/domain)mensi
How should I accepte term of services for Google Cloud Platformtakechoco
By going to console.cloud.google.commensi
I accepted TOS. but I can't add user. [Try it on] is OK. but GAS is error.cloud.google.com/resource-manager/reference/rest/v1/projects/…takechoco

2 Answers

2
votes

Don't use this method that you are trying to do (pulling the iam policy using get-iam-policy edit the JSON/YAML file this push the changes using set-iam-policy) becasue it's bad practice and small error in the file can cause loosing access your project. also this way you are dealing with too much data and you are pulling a whole file, editing it then pushing it back to be processed again(all the file).

you should use 

gcloud [GROUP] add-iam-policy-binding [RESOURCE-NAME] --role
   [ROLE-ID-TO-GRANT] --member user:[USER-EMAIL]

and

gcloud [GROUP] remove-iam-policy-binding [RESOURCE-NAME] --role
   [ROLE-ID-TO-GRANT] --member user:[USER-EMAIL]

instead

example:

gcloud projects add-iam-policy-binding $PROJECT_NAME \
    --role roles/editor \
    --member serviceAccount:$SA_EMAIL

these two methods are better because:

  • changes are simpler, less work and less error prone than editing JSON/YAML
  • you will avoid race conditions because you can do multiple roles bindings simltaneousoly and they won't confilct each other.
0
votes

I found it less error prone by using terraform for this task. The terraform module "google_project_iam_binding" does this without overwriting the existing iam policies (especially when I need to update the IAM Conditional Policies).

I'll pull the policy with gcloud projects get-iam-policy PROJECT_ID --format json > policy.json to understand the policy. Once I understand the policy, I'll convert the portion which I need to update to the terraform template and then use terraform to deploy it.