GCP Custom IAM role creation with Terraform

Question

I'm trying to create a custom IAM role in GCP with Terraform for my instances. AFIACT, the follow should work, but yet it errors out on me, complaining that the standard roles I want to include are not valid.

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "roles/storage.objectCreator", 
    "roles/cloudkms.cryptoKeyEncrypter"
  ]
}

Here is the error message:

* google_project_iam_custom_role.my-instance-role: Error creating 
the custom project role My Instance Role: googleapi: Error 400: 
Permission roles/storage.objectCreator is not valid., badRequest

The Terraform docs aren't super clear, but from what I've read, this should work. Any idea what I'm doing wrong here?

Answer 1

Ok. I figured it out. You can't include a predefined GCP role in a custom role. You have to specify the specific service permissions. What I really wanted to do was this:

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "storage.objects.create", 
    "cloudkms.cryptoKeyVersions.useToEncrypt"
  ]
}

The key here is the difference between predefined GCP roles such as "roles/storage.objectCreator" which is a collection of GCP permissions and using those individual permissions on their own. When creating a custom IAM role in Terraform, you must specify the individual service level permissions you want to apply, such as "storage.objects.create".