Google cloud deployment manager couldn't create deployment using "logging.v2.sink" by Permission Denied

Question

I deployed logging.v2.sink using Google Cloud Deployment Manager, however the deployment was failed by permission denied.

The problem was also happened in this logsink example of Google Cloud Deployment Manager.

The result is following:

- code: RESOURCE_ERROR
  location: /deployments/my-project-id/resources/sink
  message: 
{   
    "ResourceType": "logging.v2.sink",
    "ResourceErrorCode": "403",
    "ResourceErrorMessage": {
        "code": 403,
        "message": "The\n    caller does not have permission",
        "status": "PERMISSION_DENIED",
        "statusMessage": "Forbidden",
        "requestPath": "https://logging.googleapis.com/v2/projects/my-project-id/sinks",
        "httpMethod": "POST"   
    }
}

The deployment was executed by owner role, moreover I can create logging sink using cli. gcloud installed in local is newest (v217.0.0).

Why does this problem happen?

bygrace · Accepted Answer · 2019-06-26 20:14:30Z

8

I misunderstood permissions of cloud deployment manager. I noticed that the accounts of deploying template and creating resources are different(https://cloud.google.com/deployment-manager/docs/access-control).

When I add the Logging Admin role to the service account, deployment succeeds.

[PROJECT_NUMBER]@cloudservices.gserviceaccount.com

edited Jun 26, 2019 at 20:14

bygrace

5,9481 gold badge35 silver badges60 bronze badges

answered Sep 25, 2018 at 4:02

inoutch

1337 bronze badges

Add a comment |

juji-gatame · Accepted Answer · 2020-07-21 01:15:56Z

Ran into the same problem. Elaborating the answer above:

Deployment manager uses [PROJECT_NUMBER]@cloudservices.gserviceaccount.com to create resources on your behalf. You can check the policy binding for this service account:

gcloud projects get-iam-policy [PROJECT_NUMBER]

This service account has roles/editor on the project by default, which has the following policies for logging sinks:

- logging.sinks.get
- logging.sinks.list

You can confirm this using this command: gcloud iam roles describe roles/editor

roles/logging.configWriter has logging.sinks.{list, create, get, update, delete} permissions, so you can add a new policy binding to your project and then retry:

gcloud projects add-iam-policy-binding secstate-gcp-test02 \
--member serviceAccount:[PROJECT_ID]@cloudservices.gserviceaccount.com \
--role roles/logging.configWriter

Collectives™ on Stack Overflow

Google cloud deployment manager couldn't create deployment using "logging.v2.sink" by Permission Denied

2 Answers 2

Not the answer you're looking for? Browse other questions tagged
google-cloud-pubsub
google-cloud-stackdriver
google-deployment-manager
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Not the answer you're looking for? Browse other questions tagged google-cloud-pubsubgoogle-cloud-stackdrivergoogle-deployment-manager or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
google-cloud-pubsub
google-cloud-stackdriver
google-deployment-manager
or ask your own question.