I am trying to create projects programatically through the resource manager API from a google cloud function like so:
exports.createProjectAsync = async (projectId, projectName) => {
const scopes = "https://www.googleapis.com/auth/cloud-platform"
const url = `http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=${scopes}`
const tokenResult = await fetch(url, {
headers: {
"Metadata-Flavor": "Google"
},
});
const tokenStatus = tokenResult.status;
functions.logger.log(`Call to get token has status ${tokenStatus}`);
const tokenData = await tokenResult.json()
functions.logger.log(`Call to get token has data ${JSON.stringify(tokenData)}`);
const accessToken = tokenData.access_token;
if (accessToken === null) {
throw new Error(`Failed to retrieve access token`);
}
const headers = {
'Content-Type': 'application/json',
'Authorization': `Bearer ${accessToken}`
};
const payload = {
"projectId": projectId,
"name": projectName,
"parent": {
"type": "folder",
"id": FOLDER_NUMBER
}
};
const projectsCreateUrl = `https://cloudresourcemanager.googleapis.com/v1/projects/`
const result = await fetch(projectsCreateUrl, {
method: 'POST',
headers: headers,
body: JSON.stringify(payload)
});
const status = result.status;
functions.logger.log(`Call to create project returned status ${status}`);
const data = await result.json()
functions.logger.log(`data: ${JSON.stringify(data)}`);
return data;
}
For testing purposes I've added the Organization Administrator role to the default service account. I cannot see the projects creator role in IAM:
When calling the API I get the following error:
{"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}
How can I successfully access this resource?
