This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

403 ERROR: While creating a Key using Cloud Function (IAM_PERMISSION_DENIED)

Posted on 09-08-2023 12:46 AM
SumanthBurla
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM
Greetings Everyone,
 
"I'm encountering a '403 Permission Denied' error when attempting to create a new serviceAccountKey using a Cloud Function in Python 3.7.  The error message I'm receiving is as follows:

 

googleapiclient.errors.HttpError: 
<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/*/serviceAccounts/@iam.gserviceaccount.com/keys?alt=json 
returned "Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).". 
Details: "[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'IAM_PERMISSION_DENIED', 'domain': 'iam.googleapis.com', 'metadata': {'permission': 'iam.serviceAccountKeys.create'}}]">

 

Pub/Sub topic is used for triggering this function and here's the relevant part of the code I'm using:

 

iam_service = googleapiclient.discovery.build('iam', 'v1')
response = iam_service.projects().serviceAccounts().keys().create(name='projects/%s/serviceAccounts/%s' % (project_id,service_account_email_id), body=key_body).execute()

 

Can anyone provide guidance on how to address this "Iam Permission Denied" error when attempting to create a Service Account Key with a default service account that has the "Service Account Key Admin" role? Are there any additional steps or considerations I might be missing? Your insights and help would be greatly appreciated!

Solved Solved
0 2 451
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
SumanthBurla
Silver 1
Silver 1
In response to julien_bisconti
Reply posted on --/--/---- --:-- AM

appreciate your response @julien_bisconti , 

well, that service account I'm trying here is existing with a key created way back. And I did try using custom service account for cloud function, result is the same. 

assumed pub/sub is pushing project_id but it's pushing number!! now it resolved 🙂

Thanks for your suggestions mate.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
julien_bisconti
Google Developer Expert
Google Developer Expert
Reply posted on --/--/---- --:-- AM

Hi @SumanthBurla ,

I have no good answer besides creating a dedicated service account with the relevant roles and assign it to your Cloud Function. The default service account already has a lot of roles assigned to it. 

Note that IAM changes might take a bit of time to propagate everywhere. Sometimes retrying in 5-10 minutes is all you need to make it work. 

Another thing to note is that the service account, the one that you are trying to create the key from, must exists, as it says in the error message.

Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).

 Good luck and let us know how it goes,

Julien

Jump to Solution

Posted on --/--/---- --:-- AM
SumanthBurla
Silver 1
Silver 1
In response to julien_bisconti
Reply posted on --/--/---- --:-- AM

appreciate your response @julien_bisconti , 

well, that service account I'm trying here is existing with a key created way back. And I did try using custom service account for cloud function, result is the same. 

assumed pub/sub is pushing project_id but it's pushing number!! now it resolved 🙂

Thanks for your suggestions mate.

Jump to Solution