google-cloud-platformservice-accounts

Unable to assign role to service account using REST API on GCP


I am using GCP (cloud resource manager) REST API to assign roles/editor to one of the service account that I created using the IAM service (https://iam.googleapis.com) REST API. But the API is returning 400 Bad Request with following response body:

{
    "error": {
        "code": 400,
        "message": "Request contains an invalid argument.",
        "status": "INVALID_ARGUMENT",
        "details": [
            {
                "@type": "type.googleapis.com/google.cloudresourcemanager.v1.ProjectIamPolicyError",
                "type": "SOLO_REQUIRE_TOS_ACCEPTOR",
                "role": "roles/owner"
            }
        ]
    }
}

I am using following payload:

{
    "policy": {
        "bindings": [
            {
                "role": "roles/editor",
                "members": [
                    "serviceAccount:[service-account-name]@[project-id].iam.gserviceaccount.com"
                ]
            }
        ]
    }
}

Solution

  • The error “SOLO_REQUIRE_TOS_ACCEPTOR” suggests that there could be a TOS that requires acceptance”

    Your project has a setting that makes it a requirement for the users who have owner-level privileges of the system including the roles like roles/editor to accept the GCP Terms of service.

    As per this official document

    If the project is not part of an organization, there must be at least one owner who has accepted the Terms of Service (ToS) agreement in the policy. Calling setIamPolicy() to remove the last ToS-accepted owner from the policy will fail. This restriction also applies to legacy projects that no longer have owners who have accepted the ToS. Edits to IAM policies will be rejected until the lack of a ToS-accepting owner is rectified. If the project is part of an organization, you can remove all owners, potentially making the organization inaccessible.

    AS per this Githhub link

    The documentation says that it is not possible to grant the owner role through gcloud or the Cloud IAM API. Owners can only be added through the GCP Console.