Closed alanpoole closed 1 month ago
SERVICE_ACCOUNT="$(gcloud storage service-agent --project=PROJECT_ID)"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:${SERVICE_ACCOUNT}" \
--role='roles/pubsub.publisher'
module "member_roles_default_compute" {
source = "terraform-google-modules/iam/google//modules/member_iam"
service_account_address = data.google_compute_default_service_account.default.email
prefix = "serviceAccount"
project_id = var.project_id
project_roles = [
# Batch API
"roles/batch.jobsEditor",
"roles/batch.serviceAgent",
"roles/batch.agentReporter",
# Workflows
"roles/workflows.invoker",
"roles/workflows.serviceAgent",
"roles/logging.logWriter",
# EventArc
"roles/eventarc.serviceAgent",
"roles/eventarc.eventReceiver",
"roles/pubsub.publisher",
# Transcoder API
"roles/transcoder.admin",
"roles/transcoder.serviceAgent",
# Artifact Registry
"roles/artifactregistry.writer",
"roles/artifactregistry.serviceAgent",
"roles/artifactregistry.reader",
"roles/iam.serviceAccountUser",
# Storage
"roles/storage.objectUser",
"roles/storage.objectViewer"
]
}
module "member_roles_gcs_service_account" {
source = "terraform-google-modules/iam/google//modules/member_iam"
service_account_address = "service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
prefix = "serviceAccount"
project_id = var.project_id
project_roles = [
# EventArc
"roles/pubsub.publisher"
]
}
module "member_roles_pubsub_service_account" {
source = "terraform-google-modules/iam/google//modules/member_iam"
service_account_address = "service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
prefix = "serviceAccount"
project_id = var.project_id
project_roles = [
# PubSub
"roles/iam.serviceAccountTokenCreator"
]
}
│ Error: Error creating Trigger: googleapi: Error 400: Invalid resource state for "": Permission denied while using the Eventarc Service Agent. If you recently started to use Eventarc, it may take a few minutes before all necessary permissions are propagated to the Service Agent. Otherwise, verify that it has Eventarc Service Agent role. │ Details: │ [ │ { │ "@type": "type.googleapis.com/google.rpc.PreconditionFailure", │ "violations": [ │ { │ "description": "Permission denied while using the Eventarc Service Agent. If you recently started to use Eventarc, it may take a few minutes before all necessary permissions are propagated to the Service Agent. Otherwise, verify that it has Eventarc Service Agent role.", │ "type": "Eventarc Service Agent" │ } │ ] │ }, │ { │ "@type": "type.googleapis.com/google.rpc.RequestInfo", │ "requestId": "7dcdc4dfb1d49db1" │ } │ ] │ │ with google_eventarc_trigger.primary, │ on workflow.tf line 40, in resource "google_eventarc_trigger" "primary": │ 40: resource "google_eventarc_trigger" "primary" {