I’m working on a project where I’m using the Fabric Fast framework to deploy the GCP organization. Currently, I’m creating a GKE Cluster in a service project with a host network project.
I followed this guide for setting up the service account roles.
The configuration for the host network project is as follows:
module "net-project" {
source = "../modules/project"
billing_account = var.billing_account.id
name = "prj-net-core-0"
parent = var.folder_ids.networking
prefix = var.prefix
services = [
"compute.googleapis.com",
"container.googleapis.com",
"cloudresourcemanager.googleapis.com",
"dns.googleapis.com",
"iap.googleapis.com",
"networkmanagement.googleapis.com",
"servicenetworking.googleapis.com",
"stackdriver.googleapis.com",
]
shared_vpc_host_config = {
enabled = true
}
iam = merge(var.iam, {
"${var.custom_roles.checkpoint_ce_admins}" = [module.checkpoint-deployment-sa.iam_email]
"roles/iam.serviceAccountUser" = [module.checkpoint-deployment-sa.iam_email]
"roles/viewer" = [module.networking-mnt-sa.iam_email]
"roles/container.serviceAgent" = [module.gke-deployment-sa.iam_email]
"roles/iam.serviceAccountUser" = [module.gke-deployment-sa.iam_email]
})
}
The permission on the host project are as follows:
module "net-host-project" {
source = "../../modules/project"
name = var.host_project_ids.core
project_create = false
iam_additive = {
"roles/compute.networkUser" = [
local.groups_iam.gcp-gke-admins,
local.groups_iam.gcp-gke-operators,
local.groups_iam.gcp-gke-viewers,
module.project-svc-gke.service_accounts.cloud_services,
module.project-svc-gke.service_accounts.robots.container-engine,
]
"roles/container.hostServiceAgentUser" = [
module.project-svc-gke.service_accounts.robots.container-engine,
"serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}"
]
}
}
The configuration of the service project is as follows:
module "project-svc-gke" {
source = "../../modules/project"
parent = var.folder_ids["gke-dev"]
billing_account = var.billing_account.id
prefix = var.prefix
name = "dev-apps-gke"
services = var.project_services
shared_vpc_service_config = {
host_project = var.host_project_ids.core
service_identity_iam = {
"roles/compute.networkUser" = ["cloudservices"]
#"roles/container.hostServiceAgentUser" = ["container-engine"]
"roles/compute.networkUser" = ["container-engine"]
}
}
iam = merge(
{
//"roles/container.developer" = [module.vm-bastion.service_account_iam_email]
"roles/owner" = [local.groups_iam.gcp-gke-admins] #var.owners_gke
},
var.cluster_create
? {
"roles/logging.logWriter" = [module.cluster-1-nodepool-1[0].service_account_iam_email]
"roles/monitoring.metricWriter" = [module.cluster-1-nodepool-1[0].service_account_iam_email]
}
: {}
)
}
However, I’m encountering the following error:
Error: Request Create IAM Members roles/container.hostServiceAgentUser serviceAccount:service-428569310085@container-engine-robot.iam.gserviceaccount.com for project "prj-net-core-0" returned error: Batch request and retried single request “Create IAM Members roles/container.hostServiceAgentUser serviceAccount:service-428569310085@container-engine-robot.iam.gserviceaccount.com for project “prj-net-core-0″” both failed. Final error: Error applying IAM policy for project “prj-net-core-0”: Error setting IAM policy for project “prj-net-core-0”: googleapi: Error 403: Policy update access denied., forbidden`
How can I resolve the 403 Policy Update Access Denied error when trying to set the IAM policy for the service account in the host network project using Terraform? Any insights or suggestions would be greatly appreciated. Thank you!
What I have tried so far:
- Ensured that the service account being used has the necessary permissions.
- Verified that the IAM roles and bindings are correctly specified in the Terraform configuration.
Francesco Mollica is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.