I have my env set as Cloud build app (Github app) to provision terraform through cloud build to Google Cloud Platform. The build is a simple cloud composer with cloud functions, that creates these resources along with the right service accounts and members. However, only the owner permission can execute this successfully, I want to have least privilege for the cloud build service account. I have used a lot of roles and nothing seems to be successful. i.e. create service account, editor, access context manager admin, access approval approver. When I run the build via github commit, I receive this error other than having the owner set as role
Error: Error applying IAM policy for cloudfunctions cloudfunction googleapi: Error 403: Permission
Error: Batch "iam-project-redacted modifyIamPolicy" for request "Create IAM Members roles/composer.worker serviceAccount:[email protected] for \"project \\"redacted\\"\"" returned error: Error applying IAM policy for project "redacted": Error setting IAM policy for project "redacted": googleapi: Error 403: The caller does not have permission, forbidden. To debug individual requests, try disabling batching: https://www.terraform.io/docs/providers/google/guides/provider_reference.html#enable_batching
Is there a IAM policy/role that allows for service accounts to successfully build through cloud build?
With Owner role set to cloudbuild service account, everything build successfully
