Terraform on GCP fails to create pubsub topic stating permission denied

[Amit Malhotra]

Created a service user to manage terraform under the project and gave it roles/owner. Created the key for this terraform user.

Terraform code is simple:

resource "google_pubsub_topic" "my_topic" {
  name    = "my_topic"
  project = "${var.project_id}"
}

just creating a pub-sub topic.

terraform plan works but terraform apply gives me:

google_pubsub_topic.my_topic: googleapi: Error 403: User not authorized to perform this action., forbidden

I have even tried giving the service account roles/pubsub.admin not sure I understand what's going on because my service account has the owner role associated with it yet it can't create a pubsub topic.

Can anybody help me figure this out please?

Any help would be highly appreciated. 

Thanks in Advance

[Amit Malhotra]

I had created the service account using gcloud.  

gcloud iam service-accounts create terraform \
  --display-name "Terraform admin account"

gcloud projects add-iam-policy-binding myproject-182220 \
 --member serviceAccount:terr...@myproject-182220.iam.gserviceaccount.com \
 --role roles/owner

gcloud iam service-accounts keys create terraform-admin.json \
 --iam-account terr...@myproject-182220.iam.gserviceaccount.com

To continue my debugging, I created a new service account using the console / GUI  --> API & Services --> Credentials --> Create Credentials --> Service Account Key --> New Service Account  (With the owner role).  With this new service key json file, I was able to run my terraform code without a problem.  

Now my confusion is, why did this work but not when I used gcloud to create a service account and give it the same role? 

[Jimmie Butler]

I'm seeing something very similar.  I'm having terraform create a service account and grant permissions to the service account.  In the gcloud web ui I see the permissions attached properly.  The service that tries to use the service account however isn't able to use the permissions.  If I remove permissions and re-add manually via the web UI the permissions work.

Any pointers would be greatly appreciated.

On Monday, October 9, 2017 at 6:13:41 AM UTC+3, Amit Malhotra wrote:

I had created the service account using gcloud.  

gcloud iam service-accounts create terraform \
  --display-name "Terraform admin account"

gcloud projects add-iam-policy-binding myproject-182220 \
 --member serviceAccou...@myproject-182220.iam.gserviceaccount.com \
 --role roles/owner

gcloud iam service-accounts keys create terraform-admin.json \
 --iam-account terr...@myproject-182220.iam.gserviceaccount.com

[George (Cloud Platform Support)]

Your service account creation sequence seems to lack the authorization step with: gcloud auth activate-service-account --key-file gcloud.json . Did you forget to run this command, or is it a copy-paste error? 

[Jimmie Butler]

Believe I've solved my problem by completely deleting and re-creating the service account.

[George (Cloud Platform Support)]

Hi Jimmie, 

Did you delete and re-create this service account using the gcloud commands, or the Developers' Console GUI? What was different this time, in the creation process? This information may prove helpful to others in the same situation.  

[Jimmie Butler]

Been a few days, but I believe what I did was

1. Fully delete the service account

2. Re-create using terraform (guessing the same api used as gcloud tool)

and it seems to have worked fine this time.

[George (Cloud Platform Support)]

Grateful for the extra information and point-by-point presentation. People affected by similar problems will surely benefit reading your post.