I'm trying to make a cloud run service publicly accessible using terraform. I can successfully create the service with terraform but when trying to set IAM permissions I get a 403 error.
The terraform service account associated with var.credentials_file has the owner role (just for checking).
My terreform setup below:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.51.0"
}
}
}
provider "google" {
credentials = file(var.credentials_file)
project = var.project
region = var.region
}
resource "google_cloud_run_v2_service" "terra_demo" {
name = "cloudrun-service-demo"
location = var.region
ingress = "INGRESS_TRAFFIC_ALL"
template {
containers {
image = "us-central1-docker.pkg.dev/${var.project}/${var.container_repository}/${var.container_name}"
}
}
depends_on = [google_project_service.run]
}
resource "google_cloud_run_service_iam_binding" "default" {
location = google_cloud_run_v2_service.terra_demo.location
service = google_cloud_run_v2_service.terra_demo.name
role = "roles/run.invoker"
members = [
"allUsers"
]
}
This turned out to be a misunderstanding of IAM roles.
If terraform user set to
ownerhere: https://console.cloud.google.com/iam-admin/iam it works ok.Instead of from https://console.cloud.google.com/iam-admin/serviceaccounts which doesn't work