Bucket query permission denied in GCP despite service-account having the Owner role

Question

I am trying to make a GCP VM through Terraform. I made a service account on Google that has the Project Owner role. Through Terraform I am trying to make a bucket to store Terraform's state. The .json for credentials is in a Gitlab variable.

Problem is that despite the service-account having Owner role, I get a 403 error saying that my service-account does not have access and is forbidden.

Things I've tried:

• I've given the service-account different roles including Project Editor, Storage Admin, and Storage Object Admin.

• I've deleted it and remade it (and updated the Gitlab variable).

• I've made the bucket on google through the UI instead of Terraform incase that was the problem, but didn't change anything.

Gitlab's yml:

image:
  name: hashicorp/terraform:light  
  entrypoint:
    - '/usr/bin/env'
    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

before_script:
  - rm -rf .terraform
  - terraform --version
  - mkdir -p ./creds
  - echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
  - terraform init

stages:
  - validate
  - plan
  - apply

validate:
  stage: validate
  script:
    - terraform validate

plan:
  stage: plan
  script:
    - terraform plan -out "planfile"
  dependencies:
    - validate
  artifacts:
    paths:
      - planfile

apply:
  stage: apply
  script:
    - terraform apply -input=false "planfile"
  dependencies:
    - plan
  when: manual

My main.tf:

provider "google" {
    project = "project-id-name" 
    credentials = "./creds/serviceaccount.json"
    region = "europe-west1"
}

# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state"  {
  name     = "terraform-up-and-running-state"
    region = "europe-west1"
}

# config terraform to store onto cloud in bucket above
terraform {
  backend "gcs" {
    bucket = "terraform-up-and-running-state"
    credentials = "./creds/serviceaccount.json"
  }
}

# rest 
resource "google_compute_instance" "vm_instance" {
  name         = "my-test-vm"
  machine_type = "f1-micro"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
    }
  }

  network_interface {
    # A default network is created for all GCP projects
    network = "${google_compute_network.vpc_network.self_link}"
    access_config {
    }
  }
}
resource "google_compute_network" "vpc_network" {
  name                    = "my-test-network"
  auto_create_subnetworks = "true"
}

Goal is to initialize a Google VM and everything I need for it through solely Terraform.

This is what Gitlab's validate phase shows:

Running with gitlab-runner 12.3.0 (a8a019e0)
  on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
 * [new branch]      master     -> origin/master
Checking out c183697f as master...

Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: [email protected] does not have storage.objects.list access to terraform-up-and-running-state., forbidden


ERROR: Job failed: exit code 1

Answer 1

The Google Cloud Storage Bucket namespace is global, and terraform-up-and-running-state is already used by another bucket somewhere in the world, and you are trying to access their bucket and getting denied. It looks like there are a number of tutorials on the web that make reference to this bucket name. Make sure your bucket name is unique.

I'm guessing this is not your bucket: http://terraform-up-and-running-state.storage.googleapis.com/

See:

• https://cloud.google.com/storage/docs/best-practices#naming
• https://cloud.google.com/storage/docs/naming#requirements