Service account does not have storage.buckets.create access

google-cloud-platform terraform service-accounts google-iam
6,234

I had the same problem. We are using Organizations on GCP. And I used this script to create the terraform account in a terraform-admin project I created just for holding the master terraform service account which we use for setting up higher level projects and environments.

It turns out that the roles I set up for terraform@{project}.iam.gserviceaccount.com in the admin project are local to that project. i.e. in the organization IAM view this service account shows up with only 'Billing Account User' and 'Project Creator'.

I am not sure but I think that other organization scope projects can't read the roles set in other projects (or the roles set in other projects for a specific service account are overridden by the roles setup in the organization scope roles for that service account.)

Adding 'Storage Admin' and 'Viewer' roles to the organization scope service account fixed this error.

P.S I think that using terraform enterprise allows managing organization-wide users and thus makes it possible to create and manage terraform service accounts in the organization scope, avoiding the need to manually add the organization scope roles to the service account one experiences with the community version.

Share:
6,234

Related videos on Youtube

Andrew Ellis
Author by

Andrew Ellis

Updated on September 18, 2022

Comments

  • Andrew Ellis
    Andrew Ellis over 1 year

    I have created a Service Account for Terraform. Apart of our process is to create some storage buckets and maintain them through Terraform.

    However, when we run terraform apply we get the following error:

    google_storage_bucket.state_bucket: googleapi: Error 403: terraform@{project}.iam.gserviceaccount.com does not have storage.buckets.create access to project {project_id}.

    I have applied the following IAM permissions to no avail:

    • Project Owner
    • Storage Admin
    • Storage Object Admin
  • Andrew Ellis
    Andrew Ellis about 5 years
    Indeed, something has to have changed. I have to manually create the buckets, then attach the Service Account to the bucket with Storage Admin and Storage Object Admin, then run terraform import... Not ideal, but a work around.
  • Travis
    Travis about 5 years
    Have you tried it lately? Since this weekend, it seems to have cleared up, at least for me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Access denied (SA doesn't have storage.objects.create access) when trying to upload using a preSigned url to google cloud storage
GCP Deployment Manager: 403 does not have storage.buckets.get access
Terraform: googleapi: Error 403: Permission denied on resource project
Terraform: "known only after apply" ISSUE
Google Cloud credentials with Terraform
GCP Service Account can't access IAM operations with permissions
PermissionDenied: 403 IAM permission 'dialogflow.intents.list'
How to get a GCP Bearer token programmatically with python
How to Auth to Google Cloud using Service Account in Python?
service account does not have storage.objects.get access for Google Cloud Storage