feat: ensure that project is granted access to Org PAM (!7) · Merge requests · GitLab.com / GitLab Infrastructure Team / GitLab Dedicated / library / terraform / google-privileged-access-manager

Andrew Newdigate requested to merge grant-project-access into main Jun 05, 2024

Fix for issue where project has not granted access to organization's PAM service agent.

First reported by @amknight in https://gitlab.slack.com/archives/C05HYEZTGM9/p1717528643320279

PAM's Service Account \"service-org-123456789@gcp-sa-pam.iam.gserviceaccount.com\" was denied access to the resource.

Complete the PAM setup process to grant the required permissions and try again. Error: missing permissions
[resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy resourcemanager.projects.get] on
resource \"//cloudresourcemanager.googleapis.com/projects/xxx\"",
│         "subject": "privileged_access.gcp_iam_access.resource",
│         "type": "PERMISSION_DENIED"

Note: there is no organizational equivalent of project_service_identity that we can use here: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity

So we need to construct the service account email ourselves.

Edited Jun 05, 2024 by Andrew Newdigate

feat: ensure that project is granted access to Org PAM

Merge request reports