stackoom
  简体   繁体   中英

Import of existing Firebase Project into Terraform State receiving 403 error

 原文  2020-07-22 09:18:51       firebase/ google-cloud-platform/ terraform

Question

While migrating our existing infrastructure into an "Infrastructure as Code" Setup, we also needed to import an existing Firebase Project.

Following the instructions from the GCP beta Terraform provider . The following snippet was added to the corresponding terraform module.

resource "google_firebase_project" "default" {
  provider = google-beta
  project = "my-project-id"
}

The Import of the existing Firebase project was initiated by running the command

terraform import google_firebase_project.default my-project-id

This led to the following output:

google_firebase_project.default: Importing from ID "my-project-id"...
google_firebase_project.default: Import prepared!
  Prepared google_firebase_project for import
google_firebase_project.default: Refreshing state... [id=projects/my-project-id]
Error: Error when reading or editing FirebaseProject "projects/my-project-id": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the firebase.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/.

The error was obtained running Terraform with a Service Account or using a end user account to impersonate a service account. All identities had Owner permissions on the corresponding GCP project.

1 answers

solution1
 1 ACCPTED  2022-02-15 16:44:52

Your error message is not directly related to your usage of firebase terraform resources, but rather to the fact that you can not talk to the firebase APIs with a human user. Instead you should create a service account, eg called terraform , give it the permissions needed to create firebase resources and give your user the permission to impersonate the service account.

Then you need to configure your GCP provider like so

provider "google" {
  impersonate_service_account = "terraform@my-gcp-project.iam.gserviceaccount.com"
}

provider "google-beta" {
  impersonate_service_account = "terraform@my-gcp-project.iam.gserviceaccount.com"
}

It can be advisable to create a single terraform service account in a shared project and use it to create all other resources through terraform. See also https://github.com/terraform-google-modules/terraform-google-bootstrap for this pattern.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform CDKTF: How to use/import CDKTF code in existing terraform project? Terraform: googleapi: Error 403: Permission denied on resource project Import existing Azure resources into local Terraform state file Terraform & GCP : Error 403 when attempting to introduce impersonation on project-level How to import existing resources to terraform in a separate subdirectory? Error with import { Firebase } from '@firebase/app' in Angular Ionic project How to reconcile the Terraform State with an existing bucket? Google Cloud 403 Error The billing account for the owning project is disabled in state absent running into error 403 during terraform apply Locked out of my terraform state file with 403; How to identify the account performing terraform init?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM