cloudbeat icon indicating copy to clipboard operation
cloudbeat copied to clipboard

Published 20 hours ago verified publisher icon elastic

[CIS GCP] Error 403: Permission 'resourcemanager.organizations.get' denied on resource

Open romulets opened this issue 1 year ago • 0 comments

Motivation The service account used by cloudbeat doesn't have permissions to browse on organization level, only on project level. Testable here

The error:

error fetching GCP Org: googleapi: Error 403: Permission 'resourcemanager.organizations.get' denied on resource '//cloudresourcemanager.googleapis.com/organizations/992493199029' (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "cloudresourcemanager.googleapis.com",
    "metadata": {
      "permission": "resourcemanager.organizations.get",
      "resource": "organizations/992493199029"
    },
    "reason": "IAM_PERMISSION_DENIED"
  }
]
, forbidden

example log line

Definition of done

  • [ ] Understand the impact of the error, is this organization display name shown anywhere?
  • [ ] If needed update SA creation to grant permissions and add required permission to the docs

Related tasks/epics

  • Found on https://github.com/elastic/security-team/issues/8219#issuecomment-1870039617
  • Investigated on https://github.com/elastic/security-team/issues/7932#issuecomment-1870310592

romulets avatar Dec 28 '23 13:12 romulets