Building a GKE cluster on GCP with Terraform permission error

Question

I am trying to add a GKE cluster using Terraform 0.12.5 [this used to be fine on 0.11.7 as far as I can tell]

resource "google_container_cluster" "primary" {
  name = "gke-${terraform.workspace}-cluster"
  zone = "${var.region}-b"

  initial_node_count = 3
  network            = "${var.vpc_name}"
  subnetwork         = "${var.subnet_name}"

  addons_config {

    horizontal_pod_autoscaling {
      disabled = false
    }

    kubernetes_dashboard {
      disabled = false
    }
  }

  # getting a vpc-native network
  ip_allocation_policy {
  }

  master_auth {
    username = "${var.gke_master_user}"
    password = "${var.gke_master_pass}"
  }

  node_config {
    oauth_scopes = [
      "https://www.googleapis.com/auth/compute",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
    ]

    labels = {
      env = "${var.gke_label[terraform.workspace]}"
    }

    disk_size_gb = 10
    machine_type = "${var.gke_node_machine_type}"
    tags         = ["gke-node"]
  }
}

I run this based on a service-account with the following roles

• roles/compute.networkAdmin
• roles/resourcemanager.projectCreator
• roles/storage.admin

However to my surprise I now get permission issues in building the GKE cluster.

1) deploy error: Not all instances running in IGM after 10.808470514s. 
Expect 1. Current errors: [PERMISSIONS_ERROR]: Instance 'gke-gke-dev- 
cluster-default-pool-6266baac-0pn3' creation failed: Required 
'compute.instances.create' permission for 
'projects/353065647996/zones/europe-west1-b/instances/gke-gke-dev- 
cluster-default-pool-6266baac-0pn3' (when acting as 
'353065647996@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool- 
6266baac-0pn3' creation failed: Required 'compute.disks.create' 
permission for 'projects/353065647996/zones/europe-west1-b/disks/gke- 
gke-dev-cluster-default-pool-6266baac-0pn3' (when acting as 
'353065647996@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool- 
6266baac-0pn3' creation failed: Required 'compute.subnetworks.use' 
permission for 'projects/353065647996/regions/europe- 
west1/subnetworks/dev-subnet' (when acting as 
'353065647996@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool- 
6266baac-0pn3' creation failed: Required 
'compute.subnetworks.useExternalIp' permission for 
'projects/353065647996/regions/europe-west1/subnetworks/dev-subnet' 
(when acting as '353065647996@cloudservices.gserviceaccount.com'); 
[PERMISSIONS_ERROR]: Instance 'gke-gke-dev-cluster-default-pool- 
6266baac-0pn3' creation failed: Required 
'compute.instances.setMetadata' permission for 
'projects/353065647996/zones/europe-west1-b/instances/gke-gke-dev- 
cluster-default-pool-6266baac-0pn3' (when acting as 
'353065647996@cloudservices.gserviceaccount.com') (truncated)

This service account 353065647996@cloudservices.gserviceaccount.com is created for a project and inherits of the original service account. It is not clear to me how to provide it with the correct roles / credentials.

Answer 1

This was caused by adding a user with only viewing rights as the last user when creating the project. Removing that user and it worked as predicted.

Answer 2

The error message says it all:

[PERMISSIONS_ERROR]: Instance 'XXX' creation failed: Required 'compute.instances.create' permission for 'projects/xxx' (when acting as 'xxx@cloudservices.gserviceaccount.com')

Adding the missing permissions to the service account xxx@cloudservices.gserviceaccount.com should solve the problem.