Menu
I am trying to make a GCP VM through Terraform. I made a service account on Google that has the Project Owner role. Through Terraform I am trying to make a bucket to store Terraform's state. The .json for credentials is in a Gitlab variable.
Problem is that despite the service-account having Owner role, I get a 403 error saying that my service-account does not have access and is forbidden.
Things I've tried:
I've given the service-account different roles including Project Editor, Storage Admin, and Storage Object Admin.
I've deleted it and remade it (and updated the Gitlab variable).
I've made the bucket on google through the UI instead of Terraform incase that was the problem, but didn't change anything.
Gitlab's yml:
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
before_script:
- rm -rf .terraform
- terraform --version
- mkdir -p ./creds
- echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
- terraform init
stages:
- validate
- plan
- apply
validate:
stage: validate
script:
- terraform validate
plan:
stage: plan
script:
- terraform plan -out "planfile"
dependencies:
- validate
artifacts:
paths:
- planfile
apply:
stage: apply
script:
- terraform apply -input=false "planfile"
dependencies:
- plan
when: manual
My main.tf:
provider "google" {
project = "project-id-name"
credentials = "./creds/serviceaccount.json"
region = "europe-west1"
}
# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state" {
name = "terraform-up-and-running-state"
region = "europe-west1"
}
# config terraform to store onto cloud in bucket above
terraform {
backend "gcs" {
bucket = "terraform-up-and-running-state"
credentials = "./creds/serviceaccount.json"
}
}
# rest
resource "google_compute_instance" "vm_instance" {
name = "my-test-vm"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
# A default network is created for all GCP projects
network = "${google_compute_network.vpc_network.self_link}"
access_config {
}
}
}
resource "google_compute_network" "vpc_network" {
name = "my-test-network"
auto_create_subnetworks = "true"
}
Goal is to initialize a Google VM and everything I need for it through solely Terraform.
This is what Gitlab's validate phase shows:
Running with gitlab-runner 12.3.0 (a8a019e0)
on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
* [new branch] master -> origin/master
Checking out c183697f as master...
Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: [email protected] does not have storage.objects.list access to terraform-up-and-running-state., forbidden
ERROR: Job failed: exit code 1
948
In the Google Cloud console, go to the Cloud Storage Buckets page. Click the Bucket overflow menu ( ) associated with the bucket to which you want to grant a principal a role. Choose Edit access. Click the + Add principal button.
Select the Share publicly checkbox next to files in your bucket that you want to share. Use the Public link next to the checkbox. Grant project access: Click IAM & Admin in the left side menu and grant users access to your project (and thus to your buckets and files, unless you set specific bucket or file permissions).
The Google Cloud Storage Bucket namespace is global, and terraform-up-and-running-state is already used by another bucket somewhere in the world, and you are trying to access their bucket and getting denied. It looks like there are a number of tutorials on the web that make reference to this bucket name. Make sure your bucket name is unique.
I'm guessing this is not your bucket: http://terraform-up-and-running-state.storage.googleapis.com/
See:
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
