I'm trying to export project assets with Google Cloud Asset Inventory and gcloud command (version 314.0.0) authenticated with a service account :
# 1. authenticate with service account my-service-account@$PROJECT_ID.iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=/path/to/my/key.json
# 2. export assets to BQ
gcloud asset export \
--project=$PROJECT_ID \
--bigquery-table=projects/$PROJECT_ID/datasets/$DATASET_ID/tables/$TABLE_ID \
--output-bigquery-force \
--content-type=resource
And got the following error :
ERROR: (gcloud.asset.export) User [my-service-account@$PROJECT_ID.iam.gserviceaccount.com] does not have permission to access project [$PROJECT_ID:exportAssets] (or it may not exist): The caller does not have permission
My service account have the following roles on $PROJECT_ID :
roles/cloudasset.viewerroles/bigquery.jobUserroles/bigquery.dataEditorNote that gcloud asset export works when I'm logged with my own personal account, which have the same roles as my service account.
Adding --verbosity=debug flag to gcloud does not add additional info :
apitools.base.py.exceptions.HttpForbiddenError: HttpError accessing https://cloudasset.googleapis.com/v1/projects/$PROJECT_ID:exportAssets?alt=json
with the following content :
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I don't understand the difference between being logged with the service account (gcloud auth activate-service-account) and my own personal account (gcloud auth login), both should work since I have exactly the same permissions.
Any idea would be appreciated.
It is an opened investigation on this issue:
permission denied error when exporting asset to GCS or BigQuery
It seems that you have to impersonate the built-in service account [email protected] and to add the Storage Admin role to it.
Also you will have to add the roles roles/bigquery.jobUser and roles/bigquery.dataEditor to the service account [email protected] where xxxxxx is the project id.