Issues using GAM7

[Nithin Pullivarthi]

Hi,

We are trying to install and setup GAM in VM securely. We use terraform to manage GCP resources. So far, we performed following steps

1. Created a VM in a existing GCP project and granted SSH access to the IT Workspace Admin. IT Workspace Admin will use this VM to install gam and execute gam commands to manage Google workspace.
2.  Created another project where we enabled all the APIs required by GAM (https://github.com/GAM-team/GAM/blob/main/src/project-apis.txt). We created the service account in this project and granted "Service Account Token Creator" and "View Service Accounts" roles as mentioned in this doc - https://github.com/GAM-team/GAM/wiki/Running-GAM7-securely-on-a-Google-Compute-Engine
3. Granted "Service Account Token Creator" role to IT Workspace Admin on the service account created in Step 2. This will let the IT workspace Admin to impersonate the service account(created in Step 2) in the VM created in Step1. Instead of sharing the service account created in Step 2 to Workspace Admin, the idea is to let IT Workspace Admin to impersonate the service account.

4. Since we already created the project and enabled the APIs in above steps, we want to use the existing project. We executed gam use project but facing issues.
5. We executed gam create gcpserviceaccount and it created a json with impersonation uri, client secret and project id as VM project. We manually edited the project id in json to be service account project id. 6. But when we do check service account we are below getting exception

Traceback (most recent call last): File "__init__.py", line 77432, in ProcessGAMCommand File "__init__.py", line 11899, in doUpdateProject File "__init__.py", line 11268, in enableGAMProjectAPIs File "__init__.py", line 4733, in getAPIService File "googleapiclient/_helpers.py", line 130, in positional_wrapper File "googleapiclient/discovery.py", line 333, in build File "googleapiclient/discovery.py", line 304, in build File "googleapiclient/discovery.py", line 439, in _retrieve_discovery_doc File "googleapiclient/_helpers.py", line 130, in positional_wrapper File "googleapiclient/http.py", line 938, in execute googleapiclient.errors.HttpError: <HttpError 403 when requesting https://serviceusage.googleapis.com/$discovery/rest?version=v1 returned "Forbidden". Details: "<!DOCTYPE html>

Questions?

1. How can we ensure that we use a different project when creating gcpserviceaccount?

2. Should IT Admin manually authorize service account client address in Google Workspace Admin?

3. Is there an issue with this setup? Can someone help identify what’s going wrong and how to fix it?

Thanks,

Nithin.

[Ross Scroggs]

Send me a private Meet/Zoom invitation and we'll investigate.

Ross

----

Ross Scroggs

Ross.S...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/aae6aed1-2285-402b-ad42-64a00d820390n%40googlegroups.com.

[Jay Lee]

GAM does not use service account impersonation. You need to attach the service account to the GCE VM by following the instructions in the wiki article. Regarding service account being in a separate project from the VM, it's possible but requires additional GCP configuration and I wouldn't recommend it unless you have a very good reason for doing so. See:

https://cloud.google.com/iam/docs/attach-service-accounts#attaching-different-project

Jay