I am using GCP (cloud resource manager) REST API to assign roles/editor
to one of the service account that I created using the IAM service (https://iam.googleapis.com) REST API. But the API is returning 400 Bad Request
with following response body:
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT",
"details": [
{
"@type": "type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError",
"type": "SOLO_REQUIRE_TOS_ACCEPTOR",
"role": "roles/owner"
}
]
}
}
I am using following payload:
{
"policy": {
"bindings": [
{
"role": "roles/editor",
"members": [
"serviceAccount:[service-account-name]@[project-id].iam.gserviceaccount.com"
]
}
]
}
}
The error “SOLO_REQUIRE_TOS_ACCEPTOR” suggests that there could be a TOS that requires acceptance”
Your project has a setting that makes it a requirement for the users who have owner-level privileges of the system including the roles like roles/editor to accept the GCP Terms of service.
As per this official document
If the project is not part of an organization, there must be at least one owner who has accepted the Terms of Service (ToS) agreement in the policy. Calling setIamPolicy() to remove the last ToS-accepted owner from the policy will fail. This restriction also applies to legacy projects that no longer have owners who have accepted the ToS. Edits to IAM policies will be rejected until the lack of a ToS-accepting owner is rectified. If the project is part of an organization, you can remove all owners, potentially making the organization inaccessible.
AS per this Githhub link
The documentation says that it is not possible to grant the owner role through gcloud or the Cloud IAM API. Owners can only be added through the GCP Console.