Open pritho opened 3 years ago
Couldn't recreate the issue. None of the permissions are provided in terraform code so i'd suggest checking out if they are pointing to the right projects
The compute.networkUser permission worked
resource "google_project_iam_custom_role" "custom_role_child" {
role_id = "test"
title = "test-child"
permissions = [
"compute.instances.create",
"compute.disks.create",
"compute.subnetworks.use",
]
project = var.project_child
}
resource "google_project_iam_member" "service_account_role_host" {
for_each = toset(["roles/compute.networkUser", "roles/viewer"])
project = var.project_host
role = each.key
member = "serviceAccount:${google_service_account.service_account.email}"
}
resource "google_project_iam_member" "service_account_role_child" {
for_each = toset(["${google_project_iam_custom_role.custom_role_child.id}", "roles/viewer"])
project = var.project_child
role = each.key
member = "serviceAccount:${google_service_account.service_account.email}"
}
And here is a more granular version that also works
resource "google_project_iam_custom_role" "custom_role_host" {
role_id = "test"
title = "test-host"
permissions = [
"compute.networks.use",
"compute.subnetworks.use",
]
project = var.project_host
}
resource "google_project_iam_custom_role" "custom_role_child" {
role_id = "test"
title = "test-child"
permissions = [
"compute.instances.create",
"compute.disks.create",
"compute.subnetworks.use",
]
project = var.project_child
}
resource "google_project_iam_member" "service_account_role_host" {
for_each = toset(["${google_project_iam_custom_role.custom_role_host.id}", "roles/viewer"])
project = var.project_host
role = each.key
member = "serviceAccount:${google_service_account.service_account.email}"
}
resource "google_project_iam_member" "service_account_role_child" {
for_each = toset(["${google_project_iam_custom_role.custom_role_child.id}", "roles/viewer"])
project = var.project_child
role = each.key
member = "serviceAccount:${google_service_account.service_account.email}"
}
@edwardmedia I think this issue can be closed
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
0.15.5
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Instance should be able to be created
Actual Behavior
Error: Error updating network interface: googleapi: Error 403: Required 'compute.networks.use' permission for 'projects/HOST/global/networks/X', forbidden
Steps to Reproduce
Important Factoids
When granting the global permission "roles/compute.networkUser" via IAM in project HOST to service account CHILD, the setup works, but this on the other hand gives direct permissions to use all subnetworks.
b/308756106