Permission denied creating project with GCP resource manager API

2.3k views Asked by At

I am trying to create projects programatically through the resource manager API from a google cloud function like so:

exports.createProjectAsync = async (projectId, projectName) => {
    const scopes = "https://www.googleapis.com/auth/cloud-platform"
    const url = `http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=${scopes}`
    const tokenResult = await fetch(url, {
        headers: {
            "Metadata-Flavor": "Google"
        },
    });
    const tokenStatus = tokenResult.status;
    functions.logger.log(`Call to get token has status ${tokenStatus}`);
    const tokenData = await tokenResult.json()
    functions.logger.log(`Call to get token has data ${JSON.stringify(tokenData)}`);
    const accessToken = tokenData.access_token;
    if (accessToken === null) {
        throw new Error(`Failed to retrieve access token`);
    }
    const headers = {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${accessToken}`
    };
    const payload = {
        "projectId": projectId,
        "name": projectName,
        "parent": {
            "type": "folder",
            "id": FOLDER_NUMBER
        }
    };
    const projectsCreateUrl = `https://cloudresourcemanager.googleapis.com/v1/projects/`
    const result = await fetch(projectsCreateUrl, {
        method: 'POST',
        headers: headers,
        body: JSON.stringify(payload)
    });
    const status = result.status;
    functions.logger.log(`Call to create project returned status ${status}`);
    const data = await result.json()
    functions.logger.log(`data: ${JSON.stringify(data)}`);
    return data;
}

For testing purposes I've added the Organization Administrator role to the default service account. I cannot see the projects creator role in IAM:

enter image description here

When calling the API I get the following error:

{"error":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED"}}

How can I successfully access this resource?

1

There are 1 answers

5
jccampanero On BEST ANSWER

Although of course, it gives you the ability to modify its own permissions, as you can verify in the GCP documentation, the Organization Admin role does not allow to create a new project.

As you indicated, for that purpose the service account should be granted the Project Creator (roles/resourcemanager.projectCreator) role.

According to your screenshot, you are trying to grant this permission at the project level, but please, be aware that this role can only be granted at the organization and folder levels. This is the reason why the dropdown menu in the Google Cloud Web console is not providing you the Project Creator option.

If you have the necessary permissions over the folder or organization, try to assign that role at the corresponding level.