I want to create a GCP project with terraform using vault to get the token. I have the GCP secrets engine already configured and I ask vault within terraform to get the token; but when I run terraform to create the project, I get an error that says:
Error 403: Service accounts cannot create projects without a parent., forbidden. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
│
│ with module.gcp-project.google_project.project,
│ on .terraform/modules/gcp-project/main.tf line 6, in resource "google_project" "project":
│ 6: resource "google_project" "project" {
I suppouse the problem is in roleset bindings of vault's token but I don't know which resource I have to put in roleset.
I tried with the resourcemanager.projectCreator role; but it always ask me for project name.
Should I give permission to all the organization? Because if I want to create new projects, if I put as resource a project that exists, I won't be able to create another project.
Thanks!!
You must create a GCP Organization resource and ensure your Vault GCP roleset is created in a project that lives inside the org (e.g. an "admin" project).
When you create the project creator roleset using terraform you need to grant it a role that has resourcemanager.projects.create permission. You can create the binding against the whole org, or an individual folder within the org. For example:
resource "vault_gcp_secret_roleset" "default" {
backend = var.gcp_secret_backend
roleset = var.roleset_name
project = var.project
secret_type = var.secret_type
token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
binding {
resource = "//cloudresourcemanager.googleapis.com/folders/${var.folder_id}"
roles = [
"roles/resourcemanager.projectCreator",
"roles/resourcemanager.projectMover",
"roles/resourcemanager.projectDeleter",
]
}
}