0

I have an organization under which I want to create a project using python, as per the documentation, without mentioning the parent , service account throws error as below "Service accounts cannot create projects without a parent.". Details: "Service accounts cannot create projects without a parent."

Hence I provided a parent as below,

def create_signer(googleservice, principal, key, version):

    google_token_uri = 'https://oauth2.googleapis.com/token'
    if not all(['principal', 'key']):
        raise Exception('Google secret missing principal and/or key')
    signer = crypt.RSASigner.from_string(key.strip())
    credential = service_account.Credentials(signer, principal,
                                             google_token_uri)
    service = build(googleservice, version, credentials=credential,
                    cache_discovery=False)
    return service


def create_project():

    service = create_signer('cloudresourcemanager', principal, key, 'v1')
    operation = service.projects().create(
        body={
            'parent': {'type': 'organization', 'id': '72******78*8'},
            'project_id': 'abcd1234'
        }).execute()
    print(operation)

But this throws below error, googleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?alt=json returned "The caller does not have permission". Details: "The caller does not have permission">

I have created a custom role at organization level with below permissions and attached it to my service account created at project level(since organization does not allow creating service accounts at organization level),

iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.create
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

Can someone please help me with this issue? I have all the required permissions but still having throws 403 error

Just to add, gcp list api call projects works fine

Prashanth
  • 93
  • 11
  • Have you deleted your Service Account and created it again with the same name? Also do you have an owner role in your Service Account? – Bakul Mitra Jan 27 '22 at 08:50
  • I do not have owner permissions on the project, however I have few more roles added like Organization administrator. Why do I need to delete service account and create again? sorry, I did not get your point – Prashanth Jan 27 '22 at 10:14
  • I was asking have you deleted and recreated SA with the same name by any chance? You can refer this [doc](https://cloud.google.com/anthos/multicluster-management/connect/troubleshooting#permissiondenied_errors). Also give owner permission on the project and try again. – Bakul Mitra Jan 27 '22 at 11:27
  • According to the error that you provided in the link it seems like you have authentication problem. Sufficient [scope](https://developers.google.com/identity/protocols/oauth2/scopes#cloudresourcemanager) is not added in the api. You need to add scope in your code. Can you try to add 1. https://www.googleapis.com/auth/cloud-platform 2. https://www.googleapis.com/auth/cloud-platform.read-only scopes in your code. There is a sample [stackoverflow case](https://stackoverflow.com/a/53472880/15745106) which will help you. Try this out and let me know if this solves your issue or not. – Bakul Mitra Jan 28 '22 at 07:28

2 Answers2

1

According to the error that you provided in the link it seems like you have authentication problem. Sufficient scope is not added in the API. You need to add scope in your code.Try to add :

  1. googleapis.com/auth/cloud-platform

  2. googleapis.com/auth/cloud-platform.read-only

scopes in your code.

You can refer to stackoverflow case which will help you.

Bakul Mitra
  • 432
  • 2
  • 7
0

Finally I found the issue, its not related to permissions but actually the way the permissions are added. i.e. we need to add the permissions in "Setup your Foundation->Administrative Access" for this to work with proper permissions.

Thanks Bakul for your guidance. Here we can provide the service account name and attach roles to it.

Prashanth
  • 93
  • 11
  • Hello @Prashanth,Glad that your issue got resolved. If you think that my answer helped you in anyway, please consider to upvote it. I'd really appreciate it. Have a great day, thanks! – Bakul Mitra Feb 07 '22 at 07:23
  • Hello @Prashanth. If my solution helped you in any way please consider to upvote the answer. As you have accepted your own answer. – Bakul Mitra Feb 11 '22 at 04:01