I deployed logging.v2.sink using Google Cloud Deployment Manager, however the deployment was failed by permission denied.
The problem was also happened in this logsink example of Google Cloud Deployment Manager.
The result is following:
- code: RESOURCE_ERROR
location: /deployments/my-project-id/resources/sink
message:
{
"ResourceType": "logging.v2.sink",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"message": "The\n caller does not have permission",
"status": "PERMISSION_DENIED",
"statusMessage": "Forbidden",
"requestPath": "https://logging.googleapis.com/v2/projects/my-project-id/sinks",
"httpMethod": "POST"
}
}
The deployment was executed by owner role, moreover I can create logging sink using cli.
gcloud installed in local is newest (v217.0.0).
Why does this problem happen?
I misunderstood permissions of cloud deployment manager. I noticed that the accounts of deploying template and creating resources are different(https://cloud.google.com/deployment-manager/docs/access-control).
When I add the Logging Admin role to the service account, deployment succeeds.
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com