googleapiclient.errors.HttpError:
<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/*/serviceAccounts/@iam.gserviceaccount.com/keys?alt=json
returned "Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).".
Details: "[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'IAM_PERMISSION_DENIED', 'domain': 'iam.googleapis.com', 'metadata': {'permission': 'iam.serviceAccountKeys.create'}}]">
Pub/Sub topic is used for triggering this function and here's the relevant part of the code I'm using:
iam_service = googleapiclient.discovery.build('iam', 'v1')
response = iam_service.projects().serviceAccounts().keys().create(name='projects/%s/serviceAccounts/%s' % (project_id,service_account_email_id), body=key_body).execute()
Can anyone provide guidance on how to address this "Iam Permission Denied" error when attempting to create a Service Account Key with a default service account that has the "Service Account Key Admin" role? Are there any additional steps or considerations I might be missing? Your insights and help would be greatly appreciated!
Solved! Go to Solution.
appreciate your response @julien_bisconti ,
well, that service account I'm trying here is existing with a key created way back. And I did try using custom service account for cloud function, result is the same.
assumed pub/sub is pushing project_id but it's pushing number!! now it resolved 🙂
Thanks for your suggestions mate.
Hi @SumanthBurla ,
I have no good answer besides creating a dedicated service account with the relevant roles and assign it to your Cloud Function. The default service account already has a lot of roles assigned to it.
Note that IAM changes might take a bit of time to propagate everywhere. Sometimes retrying in 5-10 minutes is all you need to make it work.
Another thing to note is that the service account, the one that you are trying to create the key from, must exists, as it says in the error message.
Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).
Good luck and let us know how it goes,
Julien
appreciate your response @julien_bisconti ,
well, that service account I'm trying here is existing with a key created way back. And I did try using custom service account for cloud function, result is the same.
assumed pub/sub is pushing project_id but it's pushing number!! now it resolved 🙂
Thanks for your suggestions mate.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |