search

ansible-collections / google.cloud

GCP Ansible Collection https://galaxy.ansible.com/google/cloud
https://cloud.google.com
GNU General Public License v3.0
99 stars 129 forks source link

Error enabling Service Usage API with `google.cloud.gcp_serviceusage_service` Ansible module #623

Open axg852 opened 7 months ago

axg852 commented 7 months ago
SUMMARY

When using the google.cloud.gcp_serviceusage_service Ansible module to enable the Service Usage API serviceusage.googleapis.com against a GCP project, I receive a 403 error and a permission denied message. Although the service account being used has the "Service Usage Admin" role. I can successfully enable the API using the gcloud command with the same service account file. The issue appears to be specific to the Ansible module. Once the service usage API is enabled (manually or via gcloud) I can enable other GCP API services (e.g. policyanalyzer.googleapis.com) using this Ansible module so the issue is limited to google.cloud.gcp_serviceusage_service Ansible module and the GCP Service Usage API

ISSUE TYPE
COMPONENT NAME

google.cloud.gcp_serviceusage_service

https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_serviceusage_service_module.html#ansible-collections-google-cloud-gcp-serviceusage-service-module

ANSIBLE VERSION
[~/ansible]$ ansible --version
ansible [core 2.15.8]
  config file = None
  configured module search path = ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /home/xxx/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.3
  libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list google.cloud

# /home/xxx/.ansible/collections/ansible_collections
Collection   Version
------------ -------
google.cloud 1.3.0
CONFIGURATION
$ ansible-config dump --only-changed
CONFIG_FILE() = None
PAGER(env: PAGER) = cat%
ENVIRONMENT

GCP

STEPS TO REPRODUCE

GCP:

  1. Create a service account, under to a GCP project or GCP organization
  2. Generate a service account file for the service account above (e.g. service_account_key.json)

Ansible:

  1. Install the Google client library for Python pip install --upgrade google-auth
  2. Create a playbook.yml similar to the example provided below (update the project and service_account_file parameters)
  3. Run the playbook with the command ansible-playbook playbook.yml
  4. Observe the error message indicating that the Service Usage API has not been used or is disabled.
---
- name: gather info on gcp project
  hosts: localhost
  gather_facts: false
  tasks:
  - name: create a service to enable service usage API
    google.cloud.gcp_serviceusage_service:
      name: serviceusage.googleapis.com
      project: example-project
      auth_kind: serviceaccount
      service_account_file: /path/to/service_account_key.json
      state: present
EXPECTED RESULTS

The Ansible module should successfully enable the Service Usage API without errors.

ACTUAL RESULTS
TASK [create a service to enable service usage API] ****************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "GCP returned error: {'error': {'code': 403, 'message': 'Service Usage API has not been used in project xxxxxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview?project=xxxxxx then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.', 'status': 'PERMISSION_DENIED', 'details': [{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developers console API activation', 'url': 'https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview?project=xxxxxxx'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'SERVICE_DISABLED', 'domain': 'googleapis.com', 'metadata': {'service': 'serviceusage.googleapis.com', 'consumer': 'projects/xxxxxx'}}]}}", "request": {"body": null, "method": "GET", "url": "https://serviceusage.googleapis.com/v1/projects/example-project/services/serviceusage.googleapis.com"}}

PLAY RECAP *********************************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
axg852 commented 7 months ago

Perhaps the google.cloud.gcp_serviceusage_service module requires the service usage API to be enabled? If that's the case then the documentation should reflect that requirement.