Error retrieving IAM policy for iap tunnelinstance

Question

Scenario

I am using bastion host module to deploy a bastion host to reach the internal applications in GCP. However, I got the following error when I try to use the default template in the module's README page:

Error: Error retrieving IAM policy for iap tunnelinstance "projects/test-project/iap_tunnel/zones/europe-west2-a/instances/bastion-vm": googleapi: Error 403: The caller does not have permission

Question

In one of my projects, I encountered this error for which I could not locate a solution. Therefore, I wanted to create this entry so that anyone who encounters the same error can simply resolve their issue.

PS: You can find the solution down below :)

Answer 1

The answer is straightforward. Simply assign the roles/iam.securityAdmin role to the deployer service account in Terraform, and you're all set. I believe it will be a simple solution for people.

Answer 2

If you're using Terraform (the Google Terraform Provider to be specific) and you've ran into this, it's likely because you're using the .id of the backend service instead of the .name.

See: https://github.com/hashicorp/terraform-provider-google/issues/4515#issuecomment-533700206

You can simply fix this by referencing the .name as following:

resource "google_iap_web_backend_service_iam_member" "example" {
  web_backend_service = google_compute_backend_service.example.name
  role                = "roles/iap.httpsResourceAccessor"
  member              = "group:[email protected]"
  project             = var.project
}