Project-factory CICD : Insufficient permissions on read-only SA

[karpok78]

Running stage-2 project-factory from a CICD workflow failed at initial "terraform plan" step because of missing IAM permission for xxx-resman-pf-0r service account.

I could not check all stage features, but I could identify at least:

• Missing permission on the billing account to handle billing budgets

Error: Error when reading or editing BillingBudget "billingAccounts/XXXXXXXXXX": googleapi: Error 403: The caller does not have permission

  with module.projects.module.billing-account[0].google_billing_budget.default["kar-default"],
  on .terraform/modules/projects/modules/billing-account/budgets.tf line 39, in resource "google_billing_budget" "default":
  39: resource "google_billing_budget" "default" {

• Missing permission on storage buckets created by the project-factory automation feature

Error: Error when reading or editing Resource "storage bucket \"b/XXXXXX\"" with IAM Binding (Role "roles/storage.objectViewer"): Error retrieving IAM policy for storage bucket "b/XXXXXXXX": googleapi: Error 403: xxx-resman-pf-0r@kar-prod-iac-core-0.iam.gserviceaccount.com does not have storage.buckets.getIamPolicy access to the Google Cloud Storage bucket. Permission 'storage.buckets.getIamPolicy' denied on resource (or it may not exist)., forbidden

  with module.projects.module.automation-buckets["prod-website/state"].google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"],
  on .terraform/modules/projects/modules/gcs/iam.tf line 36, in resource "google_storage_bucket_iam_binding" "authoritative":
  36: resource "google_storage_bucket_iam_binding" "authoritative" {

As a side note, there is also a little inconsistency in WIF SA names: xxx-pf-resman-pf-1, but xxx-resman-pf-1r

[ludoo]

Thanks for reporting this, we're promoting the next release of FAST soon, I'll make sure this is fixed there.

[ludoo]

Thanks for opening this issue. and the detailed error messages.

Let's start from the naming inconsistency: the new release of FAST which is out as an rc and we'll promote this week already addresses it. This is a snippet from the generated workflow file for the project factory:

FAST_SERVICE_ACCOUNT: ldj-prod-resman-pf-1@ldj-prod-iac-core-0.iam.gserviceaccount.com
FAST_SERVICE_ACCOUNT_PLAN: ldj-prod-resman-pf-1r@ldj-prod-iac-core-0.iam.gserviceaccount.com

Now to the missing IAM bindings for the project factory read-only SA.

One error which I found and you did not report regards missing permissions to read IAM bindings in networking and security stage projects. This is needed when the pf grants roles on other stage 2 resources (e.g. roles/compute.networkUser). This is addressed in #2683 by granting the custom role projectIAMViewer to the read-only SA on networking and security folders.

The billing budget error is a lot trickier: for one, we did not have a suitable custom role so a new billingViewer role was added to stage 0 in #2685. But then this role can only be applied if the billing account is under the same org, so the PR only grants it when var.billing_account.is_org_level is true. If you are dealing with a service account living outside the org itself, this needs to be done by manually assigning roles/billing.costsManager which also grants r/w permissions on budgets.

For the buckets, the pattern we support is to have the pf itself create a project to host IaC resources for application-level projects, and there it's its own responsibility to assign the correct permissions to its service account.

I hope this addresses your issues, I am marking this closed but feel free to reopen if you want to further discuss the topic.