While using google_project_iam_member roles don't get applied properly

[mejuhi]

Terraform Version

Terraform v0.12.24

Affected Resource(s)

• google_project_iam_binding
• IAM

Terraform Configuration Files

resource "google_project_iam_member" "sa-backend" {
  role    = "roles/editor"
  member = "serviceAccount:${google_service_account.sa-invoker.email}"
  depends_on = [google_service_account.sa-invoker]  
}

Expected Behavior

1. Service account should get role roles/editor attached
2. Cloud component (for eg cloud function) which uses this SA should get all the access which comes with editor role

Actual Behavior

1. Cloud component using this SA does not get editor access, facing permission denied issues

Steps to Reproduce

1. Create a cloud function which calls cloud run/ publishes message
2. Attach cloud function with a SA, and SA should be attached to editor role using google_project_iam_member
3. Cloud function crashes with permission denied error
4. Attach cloud function with default service account of App Engine, It works as expected.

Important Factoids

1. Even-though I can see the role being attached in the IAM console, it is not behaving as expected
   

First role shown is the default App engine SA with the editor role
Second role shown is the newly created role with editor role permission attached using google_project_iam_member

[jugup]

@venkykuberan maybe if you can, please help me with this issue?

[edwardmedia]

@mejuhi how do you verify if the SA is the one used for triggering the function? Do you want to look into below resource to see if that works for you?

# IAM entry for all users to invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
  project        = google_cloudfunctions_function.function.project
  region         = google_cloudfunctions_function.function.region
  cloud_function = google_cloudfunctions_function.function.name

  role   = "roles/cloudfunctions.invoker"
  member = "allUsers"
}

[mejuhi]

I am able to trigger the cloud function properly, but my cloud function is not able to perform its task properly(like publishing to pub/sub or calling cloud run) due to inadequate permission.
After triggering the cloud function which is using the SA with roles(editor role) given using google_project_iam_member crashes
but the same cloud function works perfectly fine when i run it using default app engine service account which has editor role.

[edwardmedia]

@mejuhi it sounds to me that the SA you created does not have right permission to the pubsub and cloud run. You may need to take a close look at the doc like below
https://cloud.google.com/pubsub/docs/access-control

[mejuhi]

Yes, I did check i have attached pub/sub publisher role attached to it, as you can see in the screenshot attached. The second SA is the one whose roles are attached using google_project_iam_member

[edwardmedia]

@mejuhi can you manually create a SA that works for you? In this way, you can figure out what exact permissions it needs to run the job. This is nothing to do with Terraform. You may share your debug log and I can take a look.

[mejuhi]

I have tried creating SA and attaching the roles manually using gcloud command, It works perfectly fine when i create SA and attach the role manually to it. This issue with permission only arises when SA is created and roles are attached using terraform with google_project_iam_member.
I am sure about all the roles my SA needs for proper execution. Since when i am attaching the roles using gcloud command it works perfectly fine

[edwardmedia]

@mejuhi have you also looked into below resources? It is used to manage your IAM policy for Cloud Pub/Sub Topic

https://www.terraform.io/docs/providers/google/r/pubsub_topic_iam.html

google_project_iam_member is the one for managing your IAM policy for a project

[ajishikea]

Hi Team,

The above URL you have mentioned is only for Pubsub.

But we have service account with more roles for example currently we have created SA with pubsub publisher, cloudrun invoker and logs writer. If i go via your statement i can see only pub sub and cloud run iam member in terraform but logs writer is not available.

However my main concern is if i create service account manually and add 3 roles it work perfectly. See below gcloud command.

gcloud projects add-iam-policy-binding $_PROJECT_ID --member="serviceAccount:$service_name@$_PROJECT_ID.iam.gserviceaccount.com" --role="roles/logging.logWriter"
        gcloud projects add-iam-policy-binding $_PROJECT_ID --member="serviceAccount:$service_name@$_PROJECT_ID.iam.gserviceaccount.com" --role="roles/pubsub.publisher"
        gcloud projects add-iam-policy-binding $_PROJECT_ID --member="serviceAccount:$service_name@$_PROJECT_ID.iam.gserviceaccount.com" --role="roles/run.invoker"

But when we use terraform iam member it add the role in iam but functionality vise it not works as expected. When cloud function uses SA created via terraform it crashes but it work fine with the manual SA.

[edwardmedia]

@mejuhi @ajishikea My understanding is that you have already created a SA. How did you assign roles to that SA for access to specific resources? Below is an example that shows assigning a role (viewer) to a member ([email protected]) for access to the resource ( pubsub/topic). If you plan to use that SA to access other resources, you need to do similar IAM on other resources. Let me know if this addresses your question.

resource "google_pubsub_topic_iam_member" "member" {
  project = google_pubsub_topic.example.project
  topic = google_pubsub_topic.example.name
  role = "roles/viewer"
  member = "user:[email protected]"
}

[mejuhi]

There Seems to be a difference in how roles get attached to a service account using gcloud(eg given below) and roles attached using google_project_iam_member.

gcloud projects add-iam-policy-binding ingka-ilo-fui-dev \
--member="serviceAccount:<service-account>" \
--role=<sample-role>

When we deploy the cloud run using the sa with roles added using google_project_iam_member, It gives the following error. But when we create a sa manually and add the exact same roles the manually created sa, it works fine. This seems to be an issue.

image

Attaching screenshot of both the roles for side by side comparison. The first role is created manually and permissions are added manually using gcloud command. Second sa using terraform

image

[edwardmedia]

@mejuhi besides google_project_iam_member showing at the very top, do you have other Terraform code? If yes, can you post your complete code related to the SA? I am curios how you did in term of attaching roles. In the meantime, can you post your debug Terraform log?

[edwardmedia]

@mejuhi is this still an issue with you?

[mejuhi]

Hello @edwardmedia, we tried recreating this issue in another project & environment, we found out there were some additional issues of service api not being enabled properly.
Thankyou for your help and support. We were able to close this issue 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!