stackoom
  简体   繁体   中英

GCP - Storage Service Account Access Issue

 原文  2022-08-27 18:19:19       google-cloud-platform/ terraform/ terraform-provider-gcp/ google-cloud-iam/ google-cloud-kms

Question

I am trying to grant access to serviceAccount:service-${data.google_project.infrastructure.number}@gs-project-accounts.iam.gserviceaccount.com on roles/cloudkms.cryptoKeyEncrypterDecrypter and creating storage buckets using below code:

resource "google_project_iam_member" "grant-google-storage-service-encrypt-decrypt" {
  project    = var.gcp_project
  role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member     = "serviceAccount:service-1111111111@gs-project-accounts.iam.gserviceaccount.com"
  depends_on = [google_project_service.apis["cloudkms.googleapis.com"], google_storage_bucket.terraform-state]
}

resource "google_storage_bucket" "dev-terraform-state" {
  name     = var.dev_terraform_state
  project  = var.gcp_project
  location = var.gcp_region

  versioning {
    enabled = true
  }

  encryption {
    default_kms_key_name = google_kms_crypto_key.terraform-state-bucket.id
  }

  depends_on = [google_kms_crypto_key.terraform-state-bucket, google_project_service.apis, google_kms_key_ring.key-ring-terraform-state]
}

Error:

│ Error: googleapi: Error 403: Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key., forbidden
│ 
│   with google_storage_bucket.dev-terraform-state,
│   on main.tf line 170, in resource "google_storage_bucket" "dev-terraform-state":
│  170: resource "google_storage_bucket" "dev-terraform-state" {

1 answers

solution1
 0  2022-08-28 16:13:47

Sorry, It was due to local cache i think. after removing terraform folder locally then re-run works fine.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GCP service account naming GCP limit service account to have conditional access to a single instance GCP-IAM - How to grant access to all service account in organization? How do I check to see if a GCP service account has full access to Google Drive? GCP - Impersonate Service Account from Local Machine Gcp support binding service account from firebase? Programmatically get current Service Account on GCP service account does not have storage.objects.get access for Google Cloud Storage Is there a cost for gcp cloud functions to access gcp storage buckets My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM