2

I have some trouble with this terraform file I wrote to define a Firebase application in my org account:

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "3.86.0"
    }
  }
}

provider "google-beta" {
  credentials = file("service-account-credentials.json")
  project     = var.gcp_project_id
  region      = var.region
  zone        = var.zone
}

resource "google_project" "default" {
    provider = google-beta

    project_id = var.gcp_project_id
    name       = "Optic OTP API"
    org_id     = var.gcp_organization_id
}

resource "google_firebase_project" "default" {
    provider = google-beta
    project  = google_project.default.project_id
}

resource "google_firebase_web_app" "basic" {
    provider = google-beta
    project = google_project.default.project_id
    display_name = "Optic OTP API"

    depends_on = [google_firebase_project.default]
}

data "google_firebase_web_app_config" "basic" {
  provider   = google-beta
  web_app_id = google_firebase_web_app.basic.app_id
}

resource "google_storage_bucket" "default" {
    provider = google-beta
    name = "firebase-optic-storage"
}

resource "google_storage_bucket_object" "default" {
    provider = google-beta
    bucket = google_storage_bucket.default.name
    name = "firebase-config.json"

    content = jsonencode({
        appId              = google_firebase_web_app.basic.app_id
        apiKey             = data.google_firebase_web_app_config.basic.api_key
        authDomain         = data.google_firebase_web_app_config.basic.auth_domain
        databaseURL        = lookup(data.google_firebase_web_app_config.basic, "database_url", "")
        storageBucket      = lookup(data.google_firebase_web_app_config.basic, "storage_bucket", "")
        messagingSenderId  = lookup(data.google_firebase_web_app_config.basic, "messaging_sender_id", "")
        measurementId      = lookup(data.google_firebase_web_app_config.basic, "measurement_id", "")
    })
}

I followed the official terraform plugin documentation here

I’m using a Service Account created in the company GCP org within the Firebase Service Management Service Agent role:

roles

But when I run terraform plan I get

Error when reading or editing Storage Bucket "firebase-optic-storage": googleapi: Error 403: XXX does not have storage.buckets.get access to the Google Cloud Storage bucket.

Even if the service account’s role has it!

$ gcloud projects get-iam-policy optic-web-otp

# returns
bindings:
- members:
  - serviceAccount:XXX
  role: roles/firebase.managementServiceAgent
- members:
  - serviceAccount:XXX
  role: roles/firebase.sdkAdminServiceAgent
- members:
  - serviceAccount:XXX
  role: roles/firebase.sdkProvisioningServiceAgent
- members:
  - user:MY-EMAIL
  role: roles/owner
etag: 
version: 1

(The XXX is the right service account identifier)

Do you have some hints to check what is missing from my Service Account?

Manuel Spigolon
  • 11,003
  • 5
  • 50
  • 73

1 Answers1

2

If the roles that you listed are the only ones that your account has - you lack roles that allow you to access Cloud Storage. Command you used to check the roles doesn't give you correct information.

Correct solution (described in this answer) would be to run this :

gcloud projects get-iam-policy <your project name>  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<your account name>"

If you don't see any of these roles:

  • roles/storage.objectAdmin
  • roles/storage.admin
  • roles/storage.objectCreator

described here you won't be able to create any buckets/objects.

In this case add these roles to your service account and try again.

For example:

gcloud projects add-iam-policy-binding optic-web-otp \
    --member=user:my-user@example.com --role=roles/roles/storage.admin
Wojtek_B
  • 4,245
  • 1
  • 7
  • 21