I'm trying to add a policy binding using Google deployment manager to my service account using the below yaml file, but when I tried to deploy it, I'm getting the "Permission denied" Exception.
resources:
- name: test-name-deploy
type: gcp-types/iam-v1:projects.serviceAccounts
properties:
accountId: accid123
displayName: test-deploy
accessControl:
gcpIamPolicy:
bindings:
- role: roles/viewer
members:
- "serviceAccount:myservaccount"
> message: '{"ResourceType":"gcp-types/iam-v1:projects.serviceAccounts","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"Permission
iam.serviceAccounts.setIamPolicy is required to perform this operation on service
I have given "OWNER" permission for the account. Still I am getting the same. Thanks in advance.
Deployment Manager uses the Google APIs Service Account to call other Google APIs and manage Google Cloud resources on your behalf. You can find the account under IAM as [PROJECT_NUMBER]@cloudservices.gserviceaccount.com which by default has an Editor role. However, to assign IAM policies to the resources this account needs an owner role.So, grant your project's Google APIs service account with the owner role.
You can refer to the link below for more details.
You can additionally refer the policy troubleshooting guide referred below https://cloud.google.com/iam/docs/troubleshooting-access#troubleshooting_access
I have tested this in my project and it worked for me.