Permission denied while using the Eventarc Service Agent

[alanpoole]

│ Error: Error creating Trigger: googleapi: Error 400: Invalid resource state for "": Permission denied while using the Eventarc Service Agent. If you recently started to use Eventarc, it may take a few minutes before all necessary permissions are propagated to the Service Agent. Otherwise, verify that it has Eventarc Service Agent role. │ Details: │ [ │ { │ "@type": "type.googleapis.com/google.rpc.PreconditionFailure", │ "violations": [ │ { │ "description": "Permission denied while using the Eventarc Service Agent. If you recently started to use Eventarc, it may take a few minutes before all necessary permissions are propagated to the Service Agent. Otherwise, verify that it has Eventarc Service Agent role.", │ "type": "Eventarc Service Agent" │ } │ ] │ }, │ { │ "@type": "type.googleapis.com/google.rpc.RequestInfo", │ "requestId": "7dcdc4dfb1d49db1" │ } │ ] │ │ with google_eventarc_trigger.primary, │ on workflow.tf line 40, in resource "google_eventarc_trigger" "primary": │ 40: resource "google_eventarc_trigger" "primary" {

[ggiovanejr]

SERVICE_ACCOUNT="$(gcloud storage service-agent --project=PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:${SERVICE_ACCOUNT}" \
    --role='roles/pubsub.publisher'

[alanpoole]

module "member_roles_default_compute" {
  source                  = "terraform-google-modules/iam/google//modules/member_iam"
  service_account_address = data.google_compute_default_service_account.default.email
  prefix                  = "serviceAccount"
  project_id              = var.project_id
  project_roles = [
    # Batch API
    "roles/batch.jobsEditor",
    "roles/batch.serviceAgent",
    "roles/batch.agentReporter",
    # Workflows
    "roles/workflows.invoker",
    "roles/workflows.serviceAgent",
    "roles/logging.logWriter",
    # EventArc
    "roles/eventarc.serviceAgent",
    "roles/eventarc.eventReceiver",
    "roles/pubsub.publisher",
    # Transcoder API
    "roles/transcoder.admin",
    "roles/transcoder.serviceAgent",
    # Artifact Registry
    "roles/artifactregistry.writer",
    "roles/artifactregistry.serviceAgent",
    "roles/artifactregistry.reader",
    "roles/iam.serviceAccountUser",
    # Storage
    "roles/storage.objectUser",
    "roles/storage.objectViewer"
  ]
}

[alanpoole]

module "member_roles_gcs_service_account" {
  source                  = "terraform-google-modules/iam/google//modules/member_iam"
  service_account_address = "service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
  prefix                  = "serviceAccount"
  project_id              = var.project_id
  project_roles = [
    # EventArc
    "roles/pubsub.publisher"
  ]
}

module "member_roles_pubsub_service_account" {
  source                  = "terraform-google-modules/iam/google//modules/member_iam"
  service_account_address = "service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
  prefix                  = "serviceAccount"
  project_id              = var.project_id
  project_roles = [
    # PubSub
    "roles/iam.serviceAccountTokenCreator"
  ]
}

[alanpoole]

https://github.com/gfilicetti/gke-github-deployment/commit/87595c020268958ec859ed70179d09024937d2bf