admin管理员组文章数量:1379913
I'm automating the creation of Google Cloud Platform (GCP) projects for users in a MySQL database using their Gmail accounts. The automation for adding the users as principals in the GCP anization works fine, but I encounter an issue when trying to create and set IAM policies for the projects.
The error I get is:
Failed to set IAM policy for project main-18316463: <HttpError 403 when requesting :setIamPolicy?alt=json returned "The caller does not have permission". Details: "The caller does not have permission">
The strange part is that it works for the first 5 users, but then I get the error for subsequent users.
I have assigned the following roles at the anization level for the service account:
Project Creator
Project Deleter
Project IAM Admin
Organization Administrator
Owner
Editor
Additionally, I've enabled the Cloud Resource Manager API for the project linked to the service account.
Troubleshooting:
Permissions: I have ensured that the service account has the roles/resourcemanager.projectIamAdmin at the anization level.
API Enabled: The Cloud Resource Manager API is enabled for the project.
Has anyone encountered a similar issue? What could be causing the "caller does not have permission" error after the first few successful project creations?
I'm automating the creation of Google Cloud Platform (GCP) projects for users in a MySQL database using their Gmail accounts. The automation for adding the users as principals in the GCP anization works fine, but I encounter an issue when trying to create and set IAM policies for the projects.
The error I get is:
Failed to set IAM policy for project main-18316463: <HttpError 403 when requesting https://cloudresourcemanager.googleapis/v1/projects/main-18316463:setIamPolicy?alt=json returned "The caller does not have permission". Details: "The caller does not have permission">
The strange part is that it works for the first 5 users, but then I get the error for subsequent users.
I have assigned the following roles at the anization level for the service account:
Project Creator
Project Deleter
Project IAM Admin
Organization Administrator
Owner
Editor
Additionally, I've enabled the Cloud Resource Manager API for the project linked to the service account.
Troubleshooting:
Permissions: I have ensured that the service account has the roles/resourcemanager.projectIamAdmin at the anization level.
API Enabled: The Cloud Resource Manager API is enabled for the project.
Has anyone encountered a similar issue? What could be causing the "caller does not have permission" error after the first few successful project creations?
Share Improve this question asked Mar 29 at 20:40 LiwizyLiwizy 118 bronze badges1 Answer
Reset to default 0Your script likely creates the project and immediately tries to call setIamPolicy on it. For the first few projects, maybe the system is slightly faster, or the script's overhead is enough to provide a tiny delay, allowing propagation to complete just in time. As the script runs rapidly through the loop, subsequent calls happen too quickly for the newly created project's IAM context to be ready, leading to the "403 error – the system doesn't yet recognize your Service Account's permission to manage that specific new project."
Try to Add a pause in your script after creating the project and before calling setIamPolicy. Try it with a 20 seconds or so delay to test, then make it shorter if it solves your problem.
本文标签:
版权声明:本文标题:google cloud platform - HttpError 403: The caller does not have permission when setting IAM policy for GCP projects - Stack Over 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744004317a2574420.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论