Issues with Setting up gcs backend for terraform

3
votes

I have been trying to setup a terraform backend to store state files in GCS bucket. I have created a service account which is a project owner and having gcs bucket storage admin access, but still am facing below error:

Initializing the backend...
Error loading state: 2 errors occurred:
        * writing "gs://terraform-ubuntu-state-maintain/gcp/terraform.tfstate/default.tflock" failed: googleapi: Error 403: Insufficient Permission, insufficientPer
missions
        * storage: object doesn't exist.

p.s: the gcs bucket is also created already with the prefix path "gcp".Also permission is given to the service account.

2
google-cloud-platformgoogle-cloud-storageterraformterraform-provider-gcp
What does your current terraform section of your configuration files look like? Specifically the backend stanza. Have you provided a "credentials" parameter? If not then you are using application default credentials. Try using gsutil cp to copy a random file to your bucket and see if you have permissions to perform that task.Kolban
I don't think project owner is enough for the service-account, from what I have read. I have added: Compute Storage Admin Owner Storage Admin Storage Object Admintdensmore
Hello, I also suggest to impersonate as the service account and to try to run the commands from the shell, the errors shown in the console are have more information about the errors, if you use the gsutil option with -D it will throw some more information about the request. I suggest to look up if this is still throwing an error with gsutil and use the flag. Please remember that this flag has authentication credentials.. so if you plan to share this with us, make sure to take out all the authentication and personal information.Luis Manuel

2 Answers

2
votes

My error was that the "quota project" in ~/.config/gcloud/application_default_credentials.json pointed to a non-existing project.

1
votes

I ran into a similar issue, and it turned out to be the bucket name I was using. GCS bucket names (like S3 bucket names) are GLOBAL, so often permission-related errors like this:

Error: Error inspecting states in the "gcs" backend:
    querying Cloud Storage failed: googleapi: Error 403: [email protected] does not have storage.objects.list access to terraform-state., forbidden

are NOT permission related, but really errors because you are trying to read from other peoples buckets (a bucket name that someone else is already using).

P.S. the OG has that bucket named terraform-state, which must be getting LOTS of API requests for listing / creating objects...