Search code examples
google-cloud-platformterraformgoogle-iam

My account has certain permissions on GCP console but not in Terraform/command line

On GCP console, I can successfully create a GCE VM and create a primary and an alias IP addresses for the VM in a subnet of a shared VPC.

But the strange thing is when I tried to repeat the process with Terraform, I got the following error:

Error: Error creating Address: googleapi: Error 403: Required 'compute.addresses.createInternal' permission for 'projects/xxx/regions/us-central1/addresses/yyy', forbidden

I also got another permission error on 'compute.instances.setDeletionProtection' in a slightly different attempt.

Other information to share:

  • I'm using the same identity (my user account) for both console and Terraform/command line.
  • I have a limited custom "developer" role in the project granted by our org admin. I don't know the specific permissions it includes, but I assume it's sufficient, as I can do my task on GCP console.
  • The VM is in project A, while the shared VPC/subnet is in project B. I've used the follow Terraform code in another scenario where I'm the owner of the VM-residing project, and had no problem:
resource "google_compute_address" "alias-ips" {
  name = var.name
  address_type = "INTERNAL"
  purpose = "GCE_ENDPOINT"

  region = var.region

  subnetwork = "https://www.googleapis.com/compute/v1/projects/${var.subnet_project}/regions/${var.region}/subnetworks/${var.subnet}"

  project = var.project
}
  • I tried Policy Troubleshooter, but the result isn't helpful. It showed "Unknown" on the project level, and "Unknown" on the custom "developer" role. I "do not have permissions to view access" on the Findings column.

The next thing I'll try is to use gcloud to create the same resource. But I doubt it will generate any useful errors either.

Update 1:

I tried gcloud to create a VM. I was able to create the VM, and its primary and alias IPs. But when I tried to set deletion protection (using gcloud compute instances update XXX --deletion-protection or use the option --deletion-protection when creating a VM, I got the 403 error again. But what's perplexing is that I could create IPs. This could imply that I wrote my TF not the exactly correct way or the way TF handles alias IP creation is different from gcloud.

Update 2:

As per request, I set up GCP authN for TF by gcloud auth application-default login. I have never touch GOOGLE_APPLICATION_CREDENTIALS so it's empty. I'm very sure I'm using the same account/identity. And I run Terraform in an environment where I have no issue running Terraform to do everything in other GCP projects I work with, where I have less constrained permissions.

Solution

  • We eventually figured out that it was because the custom role our admin created for me lacked exactly those two permissions:

    • compute.addresses.createInternal
    • compute.instances.setDeletionProtection

    After they added those two permissions for me, I was able to complete my job. The two blocking issues for me were, respective to the two permissions, 1) can't create an IP address in a shared VPC/subnet; 2) can't turn on "Deletion Protection" for a VM.

    So there's nothing wrong with how GCP or Terraform checks permissions, nor with my authentication. I thought it was a larger issue, but it turned out to be just that two permissions prevented me from creating the VM.

    I could have compute instances admin role and/or compute network user role, so that I wouldn't run into this issue. The reason why our admin decided not to directly grant me (developers) those two roles is they contain too broad permissions.

    But I'm still suspicious about the contradicting behavior in GCP Console vs in Terraform/gcloud when creating alias IPs. I guess it's that GCP Console uses some non-standard API that is different from the way Terraform/gcloud does the job. There might be a bug or some undocumented feature behind it.