google-cloud-platformgoogle-deployment-manager

GCP project creation via deploymentmanager

So im trying to create a project with google cloud deployment manager, Ive structured the setup roughly as below:

# Structure
Org -> Folder1 -> Seed-Project(Location where I am running deployment manager from)

Organization:
  IAM:
    -> {Seed-Project-Number}@cloudservices.gserviceaccount.com:
        - Compute Network Admin
        - Compute Shared VPC Admin
        - Organisation Viewer
        - Project Creator

# DeploymentManager Resource:
type    cloudresourcemanager.v1.project
name    MyNewProject
parent  
  id: '{folder1-id}'
  type: folder
projectId: MyNewProject

The desired result is that MyNewProject should be created under Folder1. However; It appears as if the deployment manager service account does not have sufficent permissions:

$ CLOUDSDK_CORE_PROJECT=Seed-Project gcloud deployment-manager deployments \
  create MyNewDeployment \
  --config config.yaml \
  --verbosity=debug

Error messageļ¼š

- code: RESOURCE_ERROR
  location: /deployments/MyNewDeployment/resources/MyNewProject
  message: '{"ResourceType":"cloudresourcemanager.v1.project",
             "ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/MyNewProject","httpMethod":"GET"}}'

I've done some digging, and it appears to be calling the resourcemanager.projects.get method; The 'Compute Shared VPC Admin (roles/compute.xpnAdmin)' role should provide this permission as documented here: https://cloud.google.com/iam/docs/understanding-roles

Except that doesn't seem to be the case, whats going on ?

Edit

Id like to add some additional information gathered from debugging efforts: These are the API requests from the deployment manager, (from the seed project).

You can see that the caller is an anonymous service account, this isn't what id expect to see. (Id expect to see {Seed-Project-Number}@cloudservices.gserviceaccount.com as the calling account here)

screenshot

Edit-2

config.yaml

imports:
  - path: composite_types/project/project.py
    name: project.py

resources:
  - name: MyNewProject
    type: project.py
    properties:
      parent:
        type: folder
        id: "{folder1-id}"
      billingAccountId: billingAccounts/REDACTED
      activateApis:
        - compute.googleapis.com
        - deploymentmanager.googleapis.com
        - pubsub.googleapis.com
      serviceAccounts: []

composite_types/project/* is an exact copy of the templates found here:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/community/cloud-foundation/templates/project

Solution

  • The key thing is that this is a GET operation, not an attempt to create the project. This is to verify global uniqueness of the project-id requested, and if not unique, PERMISSION_DENIED is thrown.

    Lousy error message, lots of wasted developer hours !