search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.18k stars 701 forks source link

organization service account missing permissions when describing scc-notify #1283

Open rdattilo opened 1 week ago

rdattilo commented 1 week ago

If you follow the README-GitHub.md, under Deploying step 1-org, step 10:

gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}

produces this error:

ERROR: (gcloud.scc.notifications.describe) PERMISSION_DENIED: Caller does not have required permission to use project validator-project-111111. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=validator-project-111111 and then retry. Propagation of the new permission may take a few minutes. This command is authenticated as renato.dattilo@badal.io which is the active account specified by the [core/account] property. Impersonation is used to impersonate sa-terraform-org@prj-b-seed-1111.iam.gserviceaccount.com.
- '@type': type.googleapis.com/google.rpc.Help
  links:
  - description: Google developer console IAM admin
    url: https://console.developers.google.com/iam-admin/iam/project?project=validator-project-427516
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    consumer: projects/validator-project-427516
    service: securitycenter.googleapis.com
  reason: USER_PROJECT_DENIED

I was able to run this successfully without impersonation, much like the instructions under the README.md under the 1-org folder under step 3:

gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}

Unsure what the correct course of action here is, however I thought you should be aware of the discrepancies between the two instructions.

daniel-cit commented 1 week ago

hi @rdattilo, thanks for your report.

I was able to reproduce the same error if I set the billing/quota_project in the gcloud configuration. If I unset the billing quota project the error is not reproduced.

The SCC API bills the API in the project that is the parent of the Service Account used, but if a billing/quota_project is set it will try to bill the quota project instead. In this case the service account will need the roles/serviceusage.serviceUsageConsumer role.

I will add a note in the instructions to highlight that when using service account impersonation.