Terraform: googleapi: Error 403: Permission denied on resource project

Question

googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

I am trying to create shared vpc and service project using Terraform project facotry module and I am running into errors and not sure if it is really related to permissions. Here are the errors that I am receiving

Error: googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

on .terraform/modules/project_factory/terraform-google-project-factory-8.1.0/modules/core_project_factory/main.tf line 136, in resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment":
136: resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment" {

Error: Error retrieving IAM policy for compute subnetwork "projects/shared_vpc_host_name/regions/us-central1/subnetworks/10.128.0.0": googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

Answer 1

For someone like me: my problem was that I was using an invalid key in the provider block.

provider "google" {
  credentials = "this_was_wrong.json"
  project = "project-id"
}

As Eddie Knight said in his answer:

It's very possible that you are experiencing permission issues. At one point today I found myself attempting to target a project that existed... but the account I was authenticated to via gcloud was not the account I thought it was.

Answer 2

I got the same error when mistakenly putting the project name "myProject" to "project" as shown below:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myProject" // Mistakenly put the project name "myProject"
  region      = "asia-northeast1"
}

This is my project name , number and ID :

Then, I put the project ID "myproject-338117" to "project" :

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-338117" // Put the project id "myproject-338117"
  region      = "asia-northeast1"
}

Finally, I could solve the error.

Answer 3

I stumbled across your unanswered question just now while I was experiencing a similar error message, so I'll put my experience here in case someone else comes across it.

I am running into errors and not sure if it is really related to permissions

It's very possible that you are experiencing permission issues. At one point today I found myself attempting to target a project that existed... but the account I was authenticated to via gcloud was not the account I thought it was. In that case you'll need to either change the project id or change your authentication for gcloud.

It is also possible that your issue is related to the su.net. Check your IAM roles to ensure that you have given yourself permission to work on that su.net.

Side note... I also got a permissions error at one point due to targeting a non-existent zone

In sum:

1. Check that you're using the correct account
2. Check that you're using the right project
3. Check that you've assigned IAM roles properly

Answer 4

I have seen this problem and in my case it was project id was not correct in.tfvars file. enter image description here