google-cloud-platformgcloudservice-accountsgoogle-iam

GCP - User ... does not have permission to access projects instance


I was using gcloud with a service account to try to figure out why my API Gateway endpoint didn't work when I ran into another problem. First I ran this export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential/fils/PROJECTNAME-hash.json. Then I ran gcloud services list --available and I got this in my terminal:

ERROR: (gcloud.services.list) User [<SERVICE ACCOUNT NAME>@<MY PROJECT NAME>.iam.gserviceaccount.com] does not have permission to access projects instance [<MY PROJECT NAME>] (or it may not exist): Permission denied to list services for consumer container [projects/<MY PROJECT ID>]
Help Token: <WHAT LOOKS LIKE AN API KEY>
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.services.list&resource=projects/<MY PROJECT NAME>
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com
  metadata:
    permission: serviceusage.services.list
    resource: projects/<MY PROJECT NAME>
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

I believe I have the correct permissions enabled in my service account:
enter image description here

So why am I getting this error and how do I get gcloud services list --available to work with the selected service account?


Solution

  • This problem seemed to stem from the fact that I needed to set the service account to have the role of serviceusage.serviceUsageViewer. In order to do that I need to run the add-iam-policy-binding command but this command needs to be run with an account that has account owner/editor permissions.

    Step 1 was to switch the account in gcloud to the master gmail account with which I signed up for GCP services.

    I set my gcloud "account" to my master Gmail account with gcloud config set account <MASTER GMAIL ACCOUNT>. Then I ran:

    gcloud projects add-iam-policy-binding <PROJECT ID> \
        --member "serviceAccount:<SERVICE ACCOUNT>@<PROJECT ID>.iam.gserviceaccount.com" \
        --role "roles/serviceusage.serviceUsageViewer"
    

    That command succeeded. I set the gcloud account back to the service account with gcloud config set account <SERVICE ACCOUNT EMAIL> and then ran gcloud services list --available. This command worked this time.