Error 403, "The caller does not have permission" when trying to impersonate Service Account in GCP

Question

I have this fairly easy Terraform configuration:

terraform {
  required_providers {
    google = { 
      source  = "hashicorp/google"
      version = "~> 4.19.0"
    }   

    airflow = { 
      source = "DrFaust92/airflow"
      version = "~> 0.6.0"
    }   
  }
}

data "http" "client_id" {
  url = var.cloud_composer.airflow_uri
}

resource "google_service_account" "impersonated-gsa" {
  account_id = "impersonated"
}

data "google_service_account_access_token" "impersonated" {
  target_service_account = google_service_account.impersonated-gsa.email
  delegates              = []
  scopes                 = ["userinfo-email", "cloud-platform"]
  lifetime               = "300s"
}

provider "google" {
  alias        = "impersonated"
  access_token = data.google_service_account_access_token.impersonated.access_token
}

data "google_service_account_id_token" "oidc" {
  provider               = google.impersonated
  target_service_account = google_service_account.impersonated-gsa.email
  delegates              = []
  include_email          = true
  target_audience        = regex("[A-Za-z0-9-]*\\.apps\\.googleusercontent\\.com", data.http.client_id.body)
}

provider "airflow" {
  base_endpoint = data.http.client_id.url
  oauth2_token = data.google_service_account_id_token.oidc.id_token
}

The configuration is mostly directly copied from the documentation of Terraform Airflow provider .

When I try to run Terraform on it, say for example terraform plan , I get this 403 error:

╷
│ Error: googleapi: Error 403: The caller does not have permission, forbidden
│ 
│   with module.airflow.data.google_service_account_access_token.impersonated,
│   on modules/airflow/providers.tf line 23, in data "google_service_account_access_token" "impersonated":
│   23: data "google_service_account_access_token" "impersonated" {
│ 
╵

I am running Terraform in my local terminal, being authenticated with my gcloud user as stated in Terraform docs . My user has actual Owner role in GCP, which should require no more permissions to do this job, as far as I know. Anyway, I added myself the roles/iam.serviceAccountTokenCreator role as well, which seems needed to perform this operation, but didn't help and the error is the same.

At this point, I have no idea what could I be doing wrong, or even if the Terraform configuration itself is correct.

Can someone give any advice or suggestion? Thanks.

Edit to add more details because I can't put an entire answer to John Hanley comment:

Right,

1. I haven't see userinfo-email in any doc. Actually here , here and here is always userinfo-email . Anyway, I changed to userinfo.email . This didn't affect the results.
2. I checked that to exhaustion, and indeed my user account, the only one I had configured to run Terraform, is an Owner. There is no chance I am running Terraform with any other non-Owner user.
3. Okay, so to triple check now I manually created a Service Account in GCP dashboard, assigned it Owner role, also assigned it Service Account Token Creator role. Then I configured my local to run Terraform with that, and the error is exactly the same.

So, the mistake must be in the TF configuration.

Answer 1

1. The scope userinfo-email is invalid. It should be userinfo.email .

2. You state that you are using an account with the Owner role. However, the error message indicates that you are not using that identity with Terraform.

3. Using a user identity can result in errors (API quotas). You should be using a service account. I recommend allocating a service account, assigning it the required roles, and initializing the Terraform provider with the service account.

Answer 2

Same error when trying to create Composer with service_account = Service Account from another project. :(