terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Access denied for fldr-development resource

Open vortex-abdel-toukebri opened this issue 3 years ago • 8 comments

Hi @bharathkkb Thank you for the help. Unfortunately, your suggestion on #542 didn't work. I granted the Service Account Token Creator role (at the project and folder level) to the SA but I'm still getting the same error. If I use the org-terraform SA from the seed project it works fine (locally).

vortex-abdel-toukebri avatar Aug 18 '21 16:08 vortex-abdel-toukebri

Hi @vortex-abdel-toukebri Just to confirm did you grant Service Account Token Creator role to the user authenticated via gcloud (gcloud auth list) on the project_service_account.

You can confirm if this is configured correctly with gcloud iam service-accounts get-iam-policy $PROJECT_SERVICE_ACCOUNT --project $PROJECT --flatten="bindings[].members" --filter="bindings.role=roles/iam.serviceAccountTokenCreator" --format="value(bindings.members)"

bharathkkb avatar Aug 18 '21 16:08 bharathkkb

Hi @bharathkkb The output is:

serviceAccount:<app_infra_pipeline_cloudbuild_sa>

Where app_infra_pipeline_cloudbuild_sa is the cloudbuild SA from the step 4-projects/business_unit_1/shared using the following command:

terraform output cloudbuild_sa

vortex-abdel-toukebri avatar Aug 18 '21 17:08 vortex-abdel-toukebri

Thanks! So it looks like you don't have Service Account Token Creator on your user account to impersonate that SA which is needed for running TF locally. You can add your current user via

gcloud iam service-accounts add-iam-policy-binding $PROJECT_SERVICE_ACCOUNT --project $PROJECT --member="user:$(gcloud auth list --format="value(account)")" --role="roles/iam.serviceAccountTokenCreator"

or if you want to manage it via TF

resource "google_service_account_iam_member" "sa_impersonate_permissions" {
  service_account_id = PROJECT_SERVICE_ACCOUNT
  role               = "roles/iam.serviceAccountTokenCreator"
  member             = "user:YOUR_USER"
}

bharathkkb avatar Aug 18 '21 17:08 bharathkkb

Hi @bharathkkb Thank you very much. You made my day :-). Finally, It worked (plan & apply) after I granted the Service Account Token Creator to my account (albeit I am the owner or the Org!). However, I've had to add the following roles to project_service_account in order to make the 5-app-infra/business_unit_1 works (the compute engine example).

  • Compute Instance Admin (v1)
  • Create Service Accounts
  • Service Account Token Creator
  • Service Account User

Thanks again!

vortex-abdel-toukebri avatar Aug 18 '21 20:08 vortex-abdel-toukebri

Awesome, I'll keep this open to document this to the running locally section and use more granular roles for the example.

However, I've had to add the following roles to project_service_account

The project_service_account roles can be managed on a per project basis or you can have 1 SA with permissions across multiple projects.

bharathkkb avatar Aug 18 '21 21:08 bharathkkb

Add new step 9 to top. The following gives the user permissions to run the terraform locally with the serviceAccountTokenCreator permission. gcloud iam service-accounts add-iam-policy-binding $PROJECT_SERVICE_ACCOUNT --project $PROJECT --member="user:$(gcloud auth list --format="value(account)")" --role="roles/iam.serviceAccountTokenCreator"

mark1000 avatar Aug 18 '21 22:08 mark1000

Top of file https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/5-app-infra

mark1000 avatar Aug 18 '21 22:08 mark1000

@mark1000 @bharathkkb does the suggestion to run this step manually bypass all the security measures put in place by this framework?

Can you help me understand the need for users to impersonate a highly privileged service account from their local workstation after the infra-pipeline shared (common) environment is deployed manually the first time?

dataplex avatar Sep 26 '22 17:09 dataplex