search

GoogleCloudPlatform / cloud-foundation-fabric

End-to-end modular samples and landing zones toolkit for Terraform on GCP.
Apache License 2.0
1.47k stars 839 forks source link

Failed to check permissions on billing account (gcs-to-bq-with-dataflow) #427

Closed erivarola closed 2 years ago

erivarola commented 2 years ago

TL;DR

Tried to run terraform apply with requested variables (root node, project names, billing account) and recieved a "Failed to check permissions on billing account" error in the first steps of the gcs-to-bq-with-dataflow example (where the projects get created).

Expected behavior

It should spin up the projects without an issue, this was working before the recent repo update.

Observed behavior

It crashes in project creation: │ Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/[BILLING_ACCOUNT_ID]": Post "https://cloudbilling.googleapis.com/v1/billingAccounts/[BILLING_ACCOUNT_ID]:testIamPermissions?alt=json&prettyPrint=false": oauth2/google: invalid token JSON from metadata: EOF │ │ with module.project-kms.google_project.project[0], │ on ../../../modules/project/main.tf line 85, in resource "google_project" "project": │ 85: resource "google_project" "project"

Terraform Configuration

root_node = "folders/[folder_id]"
billing_account = "[billing_account_id]"
project_kms_name = "kms-project-e3b0c4f74db8"
project_service_name = "service-project-e3b0c4f74db8"

Terraform Version

v1.0.11

Additional information

No response

ludoo commented 2 years ago

What permissions does the user running the script have on the billing account?

erivarola commented 2 years ago

The user has Billing Account User role

ludoo commented 2 years ago

So, looking at the error message it does not appear to be module-related or even Terraform-related

oauth2/google: invalid token JSON from metadata

Can you reproduce the error consistently? Can you check that your application credentials or service account token are ok?