I am creating ansible playbook to configure VM's in GCP. I am making use of gcp_compute plugin to build a dynamic inventory. Using service account with role roles\editor to authenticate with google cloud. Playbook fails with below error when executed.
[WARNING]: * Failed to parse gcp.yml with gcp_compute plugin: [{'message': "Required 'compute.instances.list' permission for 'projects/project-dev-295204'", 'domain':
'global', 'reason': 'forbidden'}]
[WARNING]: gcp.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
As per the warning message it looks like the service account does not have necessary permissions to generate a list of running VM instances to build the inventory, but the services account has role editor attached to it and this role has all required privileges to edit, list most of resources in GCP.
[defaults]
roles_path = roles
inventory = gcp.yml
remote_user = ansible
host_key_checking = False
private_key_file = $GOOGLE_SSH_KEY
[inventory]
enable_plugins = gcp_compute
plugin: gcp_compute
projects:
- project-dev-295204
auth_kind: serviceaccount
service_account_file: $GOOGLE_SA
keyed_groups:
- key: labels
prefix: label
- key: zone
prefix: zone
The playbook returned successful response after service account was added as IAM member & mapped to role roles\Editorin the IAM Admin home page.
Below commands returned 403 response (authentication mode = service account) until the service account was added as a new IAM member.
gcloud compute instances list
gcloud compute addresses list
How does attaching a role to the service account while creating it vs adding the service account as an IAM member and tagging it to the same role make a difference.
I created service account through terraform using resource type google_service_account to create a service account and google_service_account_iam_policy to attach editor role to the service account.
When using IAM policy for service account this means that it will set IAM bindings to resource level meaning you are setting editor role for SA my-sa@ on the same service account not on the actual project level. Please avoid using google_service_account_iam_policy since it overrides existing bindings and will only set serviceAccount, user, group, etc. and their respective roles that were specified in your TF file.
In order to "add" a binding and not "set" at project level, you'll need to use the following google_project_iam_binding for updating existing bindings if this is the first time creating a binding then use google_project_iam_member , this will not override your existing bindings at project level.
Keep in mind that if you do a "set" IAM binding you can potentially be locked out of project. Please take a look at the following documentations as well to get a better understanding for IAM policy for projects