Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancing Error Messages for "Policy update access denied" failures #10079

Closed
elatovg opened this issue Sep 15, 2021 · 5 comments
Closed

Enhancing Error Messages for "Policy update access denied" failures #10079

elatovg opened this issue Sep 15, 2021 · 5 comments
Labels
enhancement

Comments

@elatovg
Copy link

elatovg commented Sep 15, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

We are using the Setting limits on granting roles feature with IAM Policies in GCP. When troubleshooting misconfigured iam policies receiving a generic 403 error:

Error: Error applying IAM policy for project "PROJECT": Error setting IAM policy for project "PROJECT": googleapi: Error 403: Policy update access denied., forbidden

It would be helpful to include more information as too why the action is blocked. For example: this is denied because the role you are trying to assign is not in the grantable roles list.

New or Affected Resource(s)

> terraform version
Terraform v0.14.11
+ provider registry.terraform.io/hashicorp/google v3.84.0

Potential Terraform Configuration

I created a sample git repo to show the issue. Here are the steps to reproduce the issue:

$ git clone https://github.com/elatovg/tf-iam-grantable-role-fr.git
$ cd bootstrap
$ cp terraform.tfvars.example terraform.tfvars
$ # update terraform.tfvars to point to your GCP project
$ terraform init
$ terraform plan
$ terraform apply -auto-approve
$ cd ..
$ cp bootstrap/terraform.tfvars terraform.tfvars
$ GOOGLE_CREDENTIALS=bootstrap/limited-sa.json terraform init
$ GOOGLE_CREDENTIALS=bootstrap/limited-sa.json terraform plan
$ GOOGLE_CREDENTIALS=bootstrap/limited-sa.json terraform apply -auto-approve
google_service_account.my_service_account: Creating...
google_service_account.my_service_account: Creation complete after 1s [id=projects/PROJECT/serviceAccounts/[email protected]]
google_project_iam_member.iam-policy-test-sa["roles/logging.logWriter"]: Creating...
google_project_iam_member.iam-policy-test-sa["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: Creating...
google_project_iam_member.iam-policy-test-sa["roles/cloudkms.cryptoKeyEncrypterDecrypter"]: Creation complete after 6s [id=PROJECT/roles/cloudkms.cryptoKeyEncrypterDecrypter/serviceAccount:[email protected]]

Error: Error applying IAM policy for project "PROJECT": Error setting IAM policy for project "PROJECT": googleapi: Error 403: Policy update access denied., forbidden

  on main.tf line 14, in resource "google_project_iam_member" "iam-policy-test-sa":
  14: resource "google_project_iam_member" "iam-policy-test-sa" {

The problem is that I forgot to include the roles/logging.logWriter role in the grantable roles list.
@elatovg elatovg changed the title Enhancing Enhancing Error Messages for "Policy update access denied" failures Sep 15, 2021
@rileykarson
Copy link
Collaborator

Do you have debug logs for one of these calls? We're returning the error message from the API, so I'm not sure if the extra information is there.

@elatovg
Copy link
Author

elatovg commented Sep 21, 2021

Setting TF_LOG=DEBUG prints out all the IAM policies in GCP Project, and I don't think I can share that. But you are correct, nothing additional from the GCP API is displayed. I bet if I ran the same thing with just the gcloud cli, I would get the same generic message. I think this enhancement, might need to be requested at a higher level API. Would you happen to which component, I can move my request to?

@rileykarson
Copy link
Collaborator

I bet if I ran the same thing with just the gcloud cli, I would get the same generic message
Generally! gcloud has implemented different messages clientside sometimes.

I'm not sure where to file offhand, sorry!

@rileykarson
Copy link
Collaborator

Closing based on not enough info from the API

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rileykarson @elatovg