You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When setting up CICD on GitHub actions, the plan is run by a read-only service account through impersonation, usually a SA named like XXXX-prod-bootstrap-0r@XXXX-prod-iac-core-0.iam.gserviceaccount.com, while the apply is run by a more powerful service account, XXXX-prod-bootstrap-0@XXXX-prod-iac-core-0.iam.gserviceaccount.com
When running the fast-pr job, you get the following error:
Error: Error when reading or editing LoggingOrganizationSettings "organizations/123456789012/settings": googleapi: Error 403: Permission 'logging.settings.get' denied on resource (or it may not exist).
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "iam.googleapis.com",
"metadata": {
"permission": "logging.settings.get"
},
"reason": "IAM_PERMISSION_DENIED"
}
]
with module.organization-logging.google_logging_organization_settings.default[0],
on .terraform/modules/organization-logging/organization/logging.tf line 37, in resource "google_logging_organization_settings" "default":
37: resource "google_logging_organization_settings" "default" {
After some debugging, we noticed that the apply SA has the Logging Admin role, which includes the logging.settings.get permission, while the plan SA has the Logs Viewer role, which lacks said permission.
Giving a Logging Admin permission to a read-only SA makes no sense, so perhaps we should add logging.settings.get to the Custom role organizationAdminViewer custom role?
The text was updated successfully, but these errors were encountered:
Good catch and great suggestion. I wonder why this did not cause errors when we tested the move to split service accounts. If you prefer to send a PR go ahead, otherwise we'll make one ASAP. Thanks again for this!
Describe the bug
When setting up CICD on GitHub actions, the plan is run by a read-only service account through impersonation, usually a SA named like
XXXX-prod-bootstrap-0r@XXXX-prod-iac-core-0.iam.gserviceaccount.com
, while the apply is run by a more powerful service account,XXXX-prod-bootstrap-0@XXXX-prod-iac-core-0.iam.gserviceaccount.com
When running the fast-pr job, you get the following error:
After some debugging, we noticed that the apply SA has the
Logging Admin
role, which includes thelogging.settings.get
permission, while the plan SA has theLogs Viewer
role, which lacks said permission.Giving a Logging Admin permission to a read-only SA makes no sense, so perhaps we should add
logging.settings.get
to theCustom role organizationAdminViewer
custom role?The text was updated successfully, but these errors were encountered: