search

MarkEdmondson1234 / googleAuthR

Google API Client Library for R. Easy authentication and help to build Google API R libraries with OAuth2. Shiny compatible.
https://code.markedmondson.me/googleAuthR
Other
175 stars 54 forks source link

gar_service_create - Permission iam.serviceAccounts.create is required to perform this operation on project #203

Closed j450h1 closed 3 years ago

j450h1 commented 3 years ago

I'm a Project Owner and Service Account Admin for this GCP project. Any clue where I'm going wrong?

options(googleAuthR.verbose=2)

library(googleAuthR)

gar_set_client(
  json = "{PATH}/jas-test-client_secret_843223677839-e0klpfahe9hi13vndllfnv2lj67ok7l0.apps.googleusercontent.com.json",
  scopes = "https://www.googleapis.com/auth/cloud-platform")
gar_auth()

#gar_service_create("test12345678", "my-project")
gar_service_create("test12345678", "jas-test")

OUTPUT:

> options(googleAuthR.verbose=2)
> 
> library(googleAuthR)
ℹ 2021-02-05 23:22:18 > No scopes have been set, set them via 
              options(googleAuthR.scopes.selected) - 
              no authentication attempted.
> 
> gar_set_client(
+   json = "{PATH}/jas-test-client_secret_843223677839-e0klpfahe9hi13vndllfnv2lj67ok7l0.apps.googleusercontent.com.json",
+   scopes = "https://www.googleapis.com/auth/cloud-platform")
ℹ 2021-02-05 23:22:18 > Setting client.id from  /Users/jas/Documents/key/jas-test-client_secret_843223677839-e0klpfahe9hi13vndllfnv2lj67ok7l0.apps.googleusercontent.com.json
ℹ 2021-02-05 23:22:18 > 
options(googleAuthR.scopes.selected=c(' https://www.googleapis.com/auth/cloud-platform ')) 
options(googleAuthR.client_id=' 843223677839-e0klpfahe9hi13vndllfnv2lj67ok7l0.apps.googleusercontent.com ') 
options(googleAuthR.client_secret=' {SECRET} ') 
options(googleAuthR.webapp.client_id='  ') 
options(googleAuthR.webapp.client_secret='  ')
[1] "jas-test"
> gar_auth()
> gar_service_create("test12345678", "jas-test")
ℹ 2021-02-05 23:22:34 > Token exists.
ℹ 2021-02-05 23:22:34 > Request:  https://iam.googleapis.com/v1/projects/jas-test/serviceAccounts/test12345678@jas-test.iam.gserviceaccount.com/
ℹ 2021-02-05 23:22:34 > Request Status Code:  404
ℹ 2021-02-05 23:22:34 > API returned error:  Not found; Gaia id not found for email test12345678@jas-test.iam.gserviceaccount.com
ℹ 2021-02-05 23:22:34 > No retry attempted:  Not found; Gaia id not found for email test12345678@jas-test.iam.gserviceaccount.com
ℹ 2021-02-05 23:22:34 > Creating new service account:  test12345678@jas-test.iam.gserviceaccount.com
ℹ 2021-02-05 23:22:34 > Creating service accountId -  test12345678
ℹ 2021-02-05 23:22:34 > Token exists.
ℹ 2021-02-05 23:22:34 > Request:  https://iam.googleapis.com/v1/projects/jas-test/serviceAccounts/
ℹ 2021-02-05 23:22:34 > Body JSON parsed to:  {"accountId":"test12345678","serviceAccount":{"description":"A service account created via googleAuthR","displayName":"googleAuthR::gar_service_create"}}
ℹ 2021-02-05 23:22:34 > Request Status Code:  403
ℹ 2021-02-05 23:22:34 > API returned error:  Permission iam.serviceAccounts.create is required to perform this operation on project projects/jas-test.
ℹ 2021-02-05 23:22:34 > No retry attempted:  Permission iam.serviceAccounts.create is required to perform this operation on project projects/jas-test.
Error: API returned: Permission iam.serviceAccounts.create is required to perform this operation on project projects/jas-test.
MarkEdmondson1234 commented 3 years ago

Does gar_service_provision() work for you? If so then you should then have the permissions to list/assign roles.

If not are you authenticating with the email that is an Owner? This works with me:

library(googleAuthR)
# default for json using Sys.getenv("GAR_CLIENT_JSON")
gar_set_client(scopes = "https://www.googleapis.com/auth/cloud-platform")
gar_auth()
gar_service_create("test12345678", "my_project")

I can see my roles to help with your roles ;) - I only have user:

gar_service_get_roles("my-project", accountId = "my@email.com", type = "user")
#ℹ 2021-02-06 18:31:37 > Checking existing roles
#        roles                  members
#1 roles/owner user:my@email.com

If still not working, will have to think - perhaps the client.id for the JSON is restricted to certain scopes when set up?

j450h1 commented 3 years ago

Thanks for your help. I figured out the root cause. Everything works now as expected.

The key was to set GAR_CLIENT_JSON as an environment variable in .Renviron file and restarting session of course. The way I had originally setup with client id using gar_set_client() wasn't the way to do things.