Terraform-provider-google: Required 'compute.networks.get' permission forbidden with shared VPC

Created on 27 Jun 2018 · 5Comments · Source: hashicorp/terraform-provider-google

Using a shared VPC network resource results in permission issues on the service account credentials.

I have project owner permission for the service account on both the project A where I'm running terraform and the project B where the Network is shared from. The service account A has the permissions set in project B.

I can create the cluster via the console without issues.

Am I missing something to make it work with terraform ?

Terraform Version

Terraform v0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

google_container_cluster
potentially more....

Terraform Configuration Files

resource "google_container_cluster" "foo" {
  name                = "foo"
  zone                = "${var.region}"
  network             = "projects/xxxxxx/global/networks/xxxx"
  min_master_version  = "1.10.4-gke.0"
  node_version        = "1.10.4-gke.0"
  initial_node_count  = 1
}

Debug Output

2018/06/27 17:09:11 [DEBUG] Google API Response Details: ---[ RESPONSE ]-------------------------------------- HTTP/2.0 403 Forbidden { "error": { "code": 403, "message": "Google Compute Engine: Required 'compute.networks.get' permission for 'projects/xxxx/global/networks/xxxx'", "errors": [ { "message": "Google Compute Engine: Required 'compute.networks.get' permission for 'projects/xxxx/global/networks/xxxx'", "domain": "global", "reason": "forbidden" } ], "status": "PERMISSION_DENIED" } }

bug

Source

bluemalkin

Most helpful comment

@2tunnels

This worked for me, regarding permissions

### Enable the permissions in teh shared network project for this to access it:

locals {
  project_number = "${google_project.THIS PROJECT.number}"
  project_id     = "${google_project.THIS PROJECT.project_id}"
}

resource "google_project_iam_binding" "compute-networkuser" {
  project = "YOUR SHARED NETWORK PROJECT ID"
  role    = "roles/compute.networkUser"

  members = [
    "serviceAccount:${format("service-%[email protected]", local.project_number)}",
    "serviceAccount:${format("%[email protected]", local.project_number)}",
  ]
}

mattlawnz on 12 Sep 2018

❤1 🎉1 👍1

All 5 comments

Hey @bluemalkin, what credentials are you using to run Terraform? Also if you could please forward your debug logs, that would be helpful (https://www.terraform.io/docs/internals/debugging.html)

danawillow on 17 Jul 2018

I figured out why.

With shared VPC, you need to allow users/serviceAccounts in the service project to use the sub-network with a google_compute_subnetwork_iam_binding resource using roles/compute.networkUser role.

The documentation should make this clearer.

Hope this helps anyone else stumbling on this issue.

bluemalkin on 18 Jul 2018

❤1 🎉1 👍1

@bluemalkin, can you share your updated terraform configuration file?

2tunnels on 20 Jul 2018

@2tunnels

This worked for me, regarding permissions

### Enable the permissions in teh shared network project for this to access it:

locals {
  project_number = "${google_project.THIS PROJECT.number}"
  project_id     = "${google_project.THIS PROJECT.project_id}"
}

resource "google_project_iam_binding" "compute-networkuser" {
  project = "YOUR SHARED NETWORK PROJECT ID"
  role    = "roles/compute.networkUser"

  members = [
    "serviceAccount:${format("service-%[email protected]", local.project_number)}",
    "serviceAccount:${format("%[email protected]", local.project_number)}",
  ]
}

mattlawnz on 12 Sep 2018

❤1 🎉1 👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!