This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Certificate Authority Service - SA not getting created

Posted a week ago
javed-shaikh-de
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Tried disabling/enabling the Google CAS API but the service account is not getting generated automatically.

All the github workflow are failing to create private CA │

Error: Error waiting to create CertificateAuthority: Error waiting for Creating CertificateAuthority: Error code 3, message: com.google.apps.framework.request.StatusException: <eye3 title=\\\'INVALID_ARGUMENT\\\'/> generic::INVALID_ARGUMENT: Exception calling IAM: Service account service-514653896921@gcp-sa-privateca.iam.gserviceaccount.com does not exist.; IAM SetIamPolicy RPC failed on project_id: n0c0a043a49805c1ap-tp. │ │ with google_privateca_certificate_authority.root_ca, │ on main.tf line 81, in resource "google_privateca_certificate_authority" "root_ca": │ 81: resource "google_privateca_certificate_authority" "root_ca"Priority

Tried with 

gcloud services enable private.googleapis.com

Also included in terraform to enable API and include dependecies as well

privateca.googleapis.com

The Service account is not getting created and I'm stuck 😞

0 1 80
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
reinc
Staff
Reply posted on --/--/---- --:-- AM

Hi @javed-shaikh-de,

Welcome to Google Cloud Community!

Your GitHub workflow needs to authenticate to Google Cloud to use the Private CAS API, but it doesn't have a service account configured for this purpose.

Here are the Step-by-Step Instructions:

Make sure to check again if the Private CAS API is enabled you may use this cli command:

gcloud services enable privateca.googleapis.com --project=[YOUR_PROJECT_ID]


1. Create a User-Managed Service Account for your GitHub Actions.
Example cli command:

gcloud iam service-accounts create github-cas-sa \
    --display-name="GitHub CAS Service Account" \
    --project=[YOUR_PROJECT_ID]

Terraform sample:

resource "google_service_account" "github_cas_sa" {
  project      = var.project_id
  account_id   = "github-cas-sa"
  display_name = "GitHub CAS Service Account"
}

2. Grant this Service Account the necessary IAM roles to manage Private CAS resources.

The specific roles depend on what your workflow needs to do.

Example granting roles/privateca.caManager:

gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
    --member="serviceAccount:github-cas-sa@[YOUR_PROJECT_ID].iam.gserviceaccount.com" \
    --role="roles/privateca.caManager"

Terraform sample:

resource "google_project_iam_member" "cas_sa_binding" {
  project = var.project_id
  role    = "roles/privateca.caManager"
  member  = "serviceAccount:${google_service_account.github_cas_sa.email}"
}

3. Generate a JSON key for this service account.

Example cli command:

gcloud iam service-accounts keys create gcp-cas-credentials.json \
    --iam-account="github-cas-sa@[YOUR_PROJECT_ID].iam.gserviceaccount.com" \
    --project=[YOUR_PROJECT_ID]

Important: Secure this gcp-cas-credentials.json file. It provides access to your GCP resources. You can also check here in the console.

4. Store this key securely in GitHub Secrets.

  • Go to your GitHub repository > Settings > Secrets and variables > Actions.
  • Click "New repository secret".
  • Name the secret (ex. GCP_SA_KEY).
  • Paste the entire content of the gcp-cas-credentials.json file into the "Value" field.
  • Click "Add secret".

5. Configure your GitHub workflow to use this service account key for authentication.
Use the google-github-actions/auth action to authenticate.

Regarding the Google-Managed Service Agent (service-...@gcp-sa-privateca.iam.gserviceaccount.com):

  • This account is not what your GitHub Action uses to authenticate to the CAS API.
  • It is used by the CAS service.
  • It is usually created when you create a resource that needs it, like a CA Pool.
  • You generally don't manage its lifecycle directly, but you might need to grant it permissions if automatic grants fail or if you're setting things up very granularly with Terraform.


Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Labels in this Space