403 ERROR: While creating a Key using Cloud Function (IAM_PERMISSION_DENIED)

Google Cloud Serverless Applications
1

Greetings Everyone,

"I’m encountering a ‘403 Permission Denied’ error when attempting to create a new serviceAccountKey using a Cloud Function in Python 3.7. The error message I’m receiving is as follows:

googleapiclient.errors.HttpError: 
<HttpError 403 when requesting https://iam.googleapis.com/v1/projects/*/serviceAccounts/@iam.gserviceaccount.com/keys?alt=json 
returned "Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).". 
Details: "[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'IAM_PERMISSION_DENIED', 'domain': 'iam.googleapis.com', 'metadata': {'permission': 'iam.serviceAccountKeys.create'}}]">

Pub/Sub topic is used for triggering this function and here’s the relevant part of the code I’m using:

iam_service = googleapiclient.discovery.build('iam', 'v1')
response = iam_service.projects().serviceAccounts().keys().create(name='projects/%s/serviceAccounts/%s' % (project_id,service_account_email_id), body=key_body).execute()

Can anyone provide guidance on how to address this “Iam Permission Denied” error when attempting to create a Service Account Key with a default service account that has the “Service Account Key Admin” role? Are there any additional steps or considerations I might be missing? Your insights and help would be greatly appreciated!

2

Hi @SumanthBurla ,

I have no good answer besides creating a dedicated service account with the relevant roles and assign it to your Cloud Function. The default service account already has a lot of roles assigned to it.

Note that IAM changes might take a bit of time to propagate everywhere. Sometimes retrying in 5-10 minutes is all you need to make it work.

Another thing to note is that the service account, the one that you are trying to create the key from, must exists, as it says in the error message.

Permission 'iam.serviceAccountKeys.create' denied on resource (or it may not exist).

Good luck and let us know how it goes,

Julien

1 Like
3

appreciate your response @julien_bisconti ,

well, that service account I’m trying here is existing with a key created way back. And I did try using custom service account for cloud function, result is the same.

assumed pub/sub is pushing project_id but it’s pushing number!! now it resolved :slightly_smiling_face:

Thanks for your suggestions mate.

1 Like