Error when reading or editing Service Account & Project Services

[mericozkayagan]

TL;DR

I am unable to get a successful plan due to the permission error which i have already configured in my service account.

Expected behavior

The service account and the other errors should not appear since it has required permissions

Observed behavior

Got these errors

│ Error: Error when reading or editing Service Account "projects/vpc-host-pg-qt036-os854/serviceAccounts/project-service-account@vpc-host-pg-qt036-os854.iam.gserviceaccount.com": googleapi: Error 403: Permission 'iam.serviceAccounts.get' denied on resource (or it may not exist).
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "iam.googleapis.com",
│     "metadata": {
│       "permission": "iam.serviceAccounts.get"
│     },
│     "reason": "IAM_PERMISSION_DENIED"
│   }
│ ]
│ , forbidden
│ 
│   with module.cs-vpc-host-pg-qt036-os854.module.project-factory.google_service_account.default_service_account[0],
│   on .terraform/modules/cs-vpc-host-pg-qt036-os854/modules/core_project_factory/main.tf line 145, in resource "google_service_account" "default_service_account":
│  145: resource "google_service_account" "default_service_account" {
│ 
╵
╷
│ Error: Error when reading or editing Project Service vpc-host-pg-qt036-os854/compute.googleapis.com: Request `List Project Services vpc-host-pg-qt036-os854` returned error: Failed to list enabled services for project vpc-host-pg-qt036-os854: googleapi: Error 403: Permission denied to list services for consumer container [projects/370050699647]
│ Help Token: AWUw39VQCX-6SzTp77qAXRKZ3RBo-Euug9j3fBHWp5KSdXg5OVwU8N9WMzX_cUX4B5GgZAfqM4uIE9ampWjKde_hQTASWvR-m89g4pg8_pd35SCO
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
│     "violations": [
│       {
│         "subject": "?error_code=110002\u0026service=cloudresourcemanager.googleapis.com\u0026permission=serviceusage.services.list\u0026resource=projects/vpc-host-pg-qt036-os854",
│         "type": "googleapis.com"
│       }
│     ]
│   },
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "serviceusage.googleapis.com",
│     "metadata": {
│       "permission": "serviceusage.services.list",
│       "resource": "projects/vpc-host-pg-qt036-os854",
│       "service": "cloudresourcemanager.googleapis.com"
│     },
│     "reason": "AUTH_PERMISSION_DENIED"
│   }
│ ]
│ , forbidden
│ 
│   with module.cs-vpc-host-pg-qt036-os854.module.project-factory.module.project_services.google_project_service.project_services["compute.googleapis.com"],
│   on .terraform/modules/cs-vpc-host-pg-qt036-os854/modules/project_services/main.tf line 31, in resource "google_project_service" "project_services":
│   31: resource "google_project_service" "project_services" {
│ 
╵

Terraform Configuration

terraform {
  required_version = ">=0.13"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.0.0"
    }
  }
  provider_meta "google" {
    module_name = "blueprints/terraform/fs-exported-preview/v0.1.0"
  }
}

provider "google" {
  impersonate_service_account = var.tf_service_account
}


module "cs-vpc-host-pg-xxx" {
  source  = "terraform-google-modules/project-factory/google"
  version = "~> 14.2"

  name       = "vpc-host-pg"
  project_id = "vpc-host-pg-xxx"
  org_id     = var.org_id
  folder_id  = module.cs-common.id

  billing_account                = var.billing_account
  enable_shared_vpc_host_project = true
}

### Terraform Version

```sh
terraform --version
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.84.0
+ provider registry.terraform.io/hashicorp/google-beta v4.84.0
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/hashicorp/random v3.6.1
+ provider registry.terraform.io/hashicorp/time v0.11.1

Additional information

I am using terragrunt to do the plan so i am using terragrunt plan to get these errors. The resources are inside of the GCP's foundation terraform download i take a small part of it. I have the exact same error in a service project in the same module too.

Here is my service account policy
{
"bindings": [
{
"members": [
"user:user@email..com"
],
"role": "roles/iam.serviceAccountTokenCreator"
},
{
"members": [
"user:user@email..com"
],
"role": "roles/owner"
}
],
"etag": "asdasdasd=",
"version": 1
}

[eeaton]

The error messages indicate an authentication issue, I cannot reproduce your issue when correctly authenticated.

I suggest you review authentication guidance , make sure that the identity to which you've granted the IAM roles is the identity used by terraform. (If you're running terraform on your local machine, the simplest option is to run gcloud auth application default-login and use your own user account credentials, the application default credentials will automatically be picked up by terraform.