Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GCP Custom IAM role creation with Terraform

I'm trying to create a custom IAM role in GCP with Terraform for my instances. AFIACT, the follow should work, but yet it errors out on me, complaining that the standard roles I want to include are not valid.

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "roles/storage.objectCreator", 
    "roles/cloudkms.cryptoKeyEncrypter"
  ]
}

Here is the error message:

* google_project_iam_custom_role.my-instance-role: Error creating 
the custom project role My Instance Role: googleapi: Error 400: 
Permission roles/storage.objectCreator is not valid., badRequest

The Terraform docs aren't super clear, but from what I've read, this should work. Any idea what I'm doing wrong here?

like image 529
ducksauz Avatar asked Jan 03 '23 14:01

ducksauz


1 Answers

Ok. I figured it out. You can't include a predefined GCP role in a custom role. You have to specify the specific service permissions. What I really wanted to do was this:

resource "google_project_iam_custom_role" "my-instance-role" {
  role_id     = "myInstanceRole"
  title       = "My Instance Role"
  description = "my custom iam role"
  permissions = [
    "storage.objects.create", 
    "cloudkms.cryptoKeyVersions.useToEncrypt"
  ]
}

The key here is the difference between predefined GCP roles such as "roles/storage.objectCreator" which is a collection of GCP permissions and using those individual permissions on their own. When creating a custom IAM role in Terraform, you must specify the individual service level permissions you want to apply, such as "storage.objects.create".

like image 132
ducksauz Avatar answered Jan 08 '23 22:01

ducksauz