Solved: Re: Cloud SQL Terraform 403 ERROR

MatanZ · 01-08-2025 06:42 AM

I am trying to create a Cloud SQL PostgreSQL instance using Terraform. I am using a Service Account as credentials for Google, and I have assigned the Cloud SQL Admin role to the Service Account. I am quite lost with the error message I am receiving. Any idea if I need to add other rules to my Service Account? I would appreciate any help.

google_sql_database_instance.postgres_instance: Creating...

Error: Error, failed to create instance lighthouse-postgresql-dev: googleapi: Error 403: The client is not authorized to make this request., notAuthorized

   with google_sql_database_instance.postgres_instance,
   on main.tf line 402, in resource "google_sql_database_instance" "postgres_instance":
  402: resource "google_sql_database_instance" "postgres_instance" {

ms4446

The error "googleapi: Error 403: The client is not authorized to make this request" when creating a Cloud SQL PostgreSQL instance using Terraform generally indicates insufficient permissions for the Service Account, even with roles/cloudsql.admin. Additional roles are often needed, especially when using private IPs or VPC networking.

Permissions for Instance Creation:

roles/cloudsql.admin: Provides core permissions for managing Cloud SQL instances.
Networking Permissions (if using private IP or Shared VPC):
- roles/compute.networkAdmin: For managing network resources (if configuring private IP, custom networks).
- roles/compute.xpnAdmin: For administering Shared VPCs (if using a Shared VPC).
- You might also need specific permissions like compute.networks.use and compute.subnetworks.use depending on your network configuration, these permissions are covered by the roles/compute.networkUser.

Some Considerations:

API Enablement: Ensure both the Cloud SQL Admin API (sqladmin.googleapis.com) and Compute Engine API (compute.googleapis.com) are enabled in your project:
```
gcloud services enable sqladmin.googleapis.com compute.googleapis.com
```
Organization Policies: Check for restrictive organization policies that might block instance creation (e.g., constraints/sql.restrictInstanceCreation):
```
gcloud org-policies list --project=<PROJECT_ID>
```
Terraform Configuration: Review your Terraform configuration for networking-related attributes like private_network that might require the networking permissions mentioned above.
Service Account Impersonation: If you are impersonating a service account to run Terraform, the user performing the impersonation will need roles/iam.serviceAccountUser on the service account being impersonated. The service account creating the Cloud SQL instance doesn't need this role assigned to itself.

Manual gcloud Test: Try creating an instance manually using the gcloud CLI to isolate whether the issue is with Terraform or permissions:

gcloud sql instances create test-instance --database-version=POSTGRES_14 --region=us-central1 --service-account=<SERVICE_ACCOUNT_EMAIL>
# If using private IP, you'll likely also need:
# --network=projects/$PROJECT_ID/global/networks/$NETWORK_NAME --no-assign-ip

roles/cloudsql.client and roles/cloudsql.instanceUser are NOT needed for instance creation. They are for connecting to the instance later.
IAM Propagation Delay: Allow a few minutes for IAM policy changes to fully propagate.
Terraform Debug Logging: Enable debug logging (TF_LOG=DEBUG) for more detailed error messages during Terraform operations.

View solution in original post

ms4446

The error "googleapi: Error 403: The client is not authorized to make this request" when creating a Cloud SQL PostgreSQL instance using Terraform generally indicates insufficient permissions for the Service Account, even with roles/cloudsql.admin. Additional roles are often needed, especially when using private IPs or VPC networking.

Permissions for Instance Creation:

roles/cloudsql.admin: Provides core permissions for managing Cloud SQL instances.
Networking Permissions (if using private IP or Shared VPC):
- roles/compute.networkAdmin: For managing network resources (if configuring private IP, custom networks).
- roles/compute.xpnAdmin: For administering Shared VPCs (if using a Shared VPC).
- You might also need specific permissions like compute.networks.use and compute.subnetworks.use depending on your network configuration, these permissions are covered by the roles/compute.networkUser.

Some Considerations:

API Enablement: Ensure both the Cloud SQL Admin API (sqladmin.googleapis.com) and Compute Engine API (compute.googleapis.com) are enabled in your project:
```
gcloud services enable sqladmin.googleapis.com compute.googleapis.com
```
Organization Policies: Check for restrictive organization policies that might block instance creation (e.g., constraints/sql.restrictInstanceCreation):
```
gcloud org-policies list --project=<PROJECT_ID>
```
Terraform Configuration: Review your Terraform configuration for networking-related attributes like private_network that might require the networking permissions mentioned above.
Service Account Impersonation: If you are impersonating a service account to run Terraform, the user performing the impersonation will need roles/iam.serviceAccountUser on the service account being impersonated. The service account creating the Cloud SQL instance doesn't need this role assigned to itself.

Manual gcloud Test: Try creating an instance manually using the gcloud CLI to isolate whether the issue is with Terraform or permissions:

gcloud sql instances create test-instance --database-version=POSTGRES_14 --region=us-central1 --service-account=<SERVICE_ACCOUNT_EMAIL>
# If using private IP, you'll likely also need:
# --network=projects/$PROJECT_ID/global/networks/$NETWORK_NAME --no-assign-ip

roles/cloudsql.client and roles/cloudsql.instanceUser are NOT needed for instance creation. They are for connecting to the instance later.
IAM Propagation Delay: Allow a few minutes for IAM policy changes to fully propagate.
Terraform Debug Logging: Enable debug logging (TF_LOG=DEBUG) for more detailed error messages during Terraform operations.