There are several types (levels) of G Suite Admin: [Mobile, Services, Help Desk, User Management, Groups, Super] Admin. Notice that there is no Domain Admin
in that list.
You need to make your admin a Super Admin
. Double check the permissions that you have applied to your admin in the G Suite Console.
To enable G Suite Delegation follow this document:
Perform G Suite Domain-Wide Delegation of Authority
You probably used a google_project_iam_policy
resource incorrectly, and overwrote the default IAM policy configuration for the project with an incorrect policy (don't ask how I know this...)
google_project_iam_policy
is a very dangerous resource in Terraform, and the docs do not sufficiently emphasize how dangerous it is. The problem is that setting the IAM Policy replaces your project's entire IAM configuration with the IAM policy you define. All the default, auto-created service account permissions get wiped out unless you specifically included them in your policy definition.
It is possible to fix your project, but not easy. You need to find all the service accounts that your project needs, and add the correct permissions. Error output from TF_LOG=TRACE terraform apply
can guide you. The default project IAM policy should look something like the policy below, though it will differ based on which APIs you have enabled and which Google Cloud features are in use. (policy sanitized with xxxxx replacing project ID)
bindings:
- members:
- serviceAccount:service-xxxxxxxxxxx@compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
- members:
- serviceAccount:xxxxxxxxxxx-compute@developer.gserviceaccount.com
- serviceAccount:xxxxxxxxxxx@cloudservices.gserviceaccount.com
- serviceAccount:terraform-service-account@your-terraform-project.iam.gserviceaccount.com
role: roles/editor
- members:
- user:owner@example.com
role: roles/owner
- members:
- serviceAccount:terraform-service-account@your-terraform-project.iam.gserviceaccount.com
role: roles/servicenetworking.networksAdmin
- members:
- serviceAccount:service-xxxxxxxxxxx@service-networking.iam.gserviceaccount.com
role: roles/servicenetworking.serviceAgent
etag: BwWc0THMaHA=
version: 1
If you are getting this error, run gcloud projects get-iam-policy your-project-name
and see what's missing. In all likelihood, the policy change wiped out your owner role, and roles for the default service accounts (the ones that include your project ID in the name).
Summary: if you're using Terraform to manage IAM in Google Cloud Platform, you should generally NOT be using resource google_project_iam_policy
, unless you are an expert at hand-writing Google IAM policies. If you must use it, before you begin, run gcloud projects get-iam-policy your-project-name
and save the results so you can see what your IAM policy looked like before you broke it.
Best Answer
I had the same problem. We are using Organizations on GCP. And I used this script to create the terraform account in a terraform-admin project I created just for holding the master terraform service account which we use for setting up higher level projects and environments.
It turns out that the roles I set up for terraform@{project}.iam.gserviceaccount.com in the admin project are local to that project. i.e. in the organization IAM view this service account shows up with only 'Billing Account User' and 'Project Creator'.
I am not sure but I think that other organization scope projects can't read the roles set in other projects (or the roles set in other projects for a specific service account are overridden by the roles setup in the organization scope roles for that service account.)
Adding 'Storage Admin' and 'Viewer' roles to the organization scope service account fixed this error.
P.S I think that using terraform enterprise allows managing organization-wide users and thus makes it possible to create and manage terraform service accounts in the organization scope, avoiding the need to manually add the organization scope roles to the service account one experiences with the community version.