0

I want to create a cloud storage bucket programatically using deployment manager, but the deployment fails with the following error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1626165906845-5c6fd413930ca-1a833b6c-81671664]: errors:
- code: RESOURCE_ERROR
  location: /deployments/example-config/resources/storage-bucket
  message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"471700050969@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to the Google Cloud Storage bucket.","reason":"forbidden"}],"message":"471700050969@cloudservices.gserviceaccount.com
    does not have storage.buckets.get access to the Google Cloud Storage bucket.","statusMessage":"Forbidden","requestPath":"https://storage.googleapis.com/storage/v1/b/storage-bucket","httpMethod":"GET","suggestion":"Consider
    granting permissions to 471700050969@cloudservices.gserviceaccount.com"}}'

However, I have added roles/storage-admin to the account mentioned in the error, and according to Policy Troubleshooter access is granted for storage.buckets.get API call:

enter image description here

This is the yaml file I use:

imports:
  - path: template.jinja

resources:
  - name: template
    type: template.jinja
    properties:
      storage:
        bucket: qa-bucket-68586

and this is the jinja template:

resources:
  - name: storage-bucket
    type: storage.v1.bucket
    properties:
      kind: storage#bucket
      name: {{ properties["storage"]["bucket"] }}
      location: EU
      projectNumber: {{ env["project_number"] }}
      storageClass: STANDARD
Carlos Rodriguez
  • 103
  • 2
  • What happened after you granted the account `storage.admin` role ? Did the error change ? – Wojtek_B Jul 13 '21 at 16:05
  • No, the error remained the same. – Carlos Rodriguez Jul 13 '21 at 17:14
  • Is the bucket in a different project? Is the bucket name correct? – John Hanley Jul 13 '21 at 19:24
  • Yes, project is the correct one and the name of the bucket is ok. – Carlos Rodriguez Jul 14 '21 at 07:00
  • I added the smallest jinja and yaml files that reproduces the problem. – Carlos Rodriguez Jul 14 '21 at 07:25
  • The key is not if the project name is correct. Which project owns the bucket? – John Hanley Jul 14 '21 at 07:45
  • I want to create the bucket, so at the moment of executing the deployment no project owns the bucket. The steps go like this: I select the project using `gcloud config set project` on the terminal of my machine; I verify that the project is selected using `gcloud config get-value project`; I check that the account in this project has the `storage.admin` role; and then I run `gcloud deployment-manager deployments create example-config --config deployment.yaml` – Carlos Rodriguez Jul 14 '21 at 10:51

1 Answers1

0

Based on your question I tried to reproduce your issue but failed - which means I could create storage bucket with DM.

I used more simple approach:

resources:
- type: storage.v1.bucket
  name: tb111
  properties:
    project: proj-name
    name: tb111-1

I wasn't using any variables to pass the project name so maybe it worked.

The result was:

wb@cloudshell:~ (proj-name)$ gcloud deployment-manager deployments create deploy-test111 --config b1.yaml
The fingerprint of the deployment is b'fcW0t5_5DD75iIGyHz='
Waiting for create [operation-1626272156399-fe30b8a9-47-53bbc8c4]...done.
Create operation operation-1626272156399-fe30b8a9-47-53bbc8c4 completed successfully.
NAME   TYPE               STATE      ERRORS  INTENT
tb111  storage.v1.bucket  COMPLETED  []

I can see & access it from the console UI.

Try for the start just "hardcoding" your project name in your jinja files or use mine for start and this should work.

Wojtek_B
  • 931
  • 3
  • 12
  • Thanks for the suggestion, Wojtek_B. After some trial and error I found the mistake: the problem was with `name: storage-bucket`. The name of the bucket must be globally unique and `storage-bucket` was already taken. I made the silly mistake also of having the `name` property twice (first one with `storage-bucket` and a second one with `{{ properties["storage"]["bucket"] }}`). I removed the second one and gave a unique number to the bucket and then it worked. Thanks! – Carlos Rodriguez Jul 15 '21 at 12:25