403 - The caller does not have permission

Question

403 - The caller does not have permission

Closed this issue 3 years ago · 7 comments

I keep getting 403 while creating source data resources.

❯ export SOURCE_NAME=$(./gatekeeper-securitycenter sources create \
    --organization $ORGANIZATION_ID \
    --display-name "Gatekeeper" \
    --description "Reports violations from Policy Controller audits" \
    --impersonate-service-account $SOURCES_ADMIN_SA | jq -r '.name')
2021/11/22 19:44:05 securitycenter.go:65: create "level"=1 "msg"="impersonating Google service account"  "serviceAccount"="securitycenter-sources-admin@project.iam.gserviceaccount.com"
Error: it.Next error when finding source by display name: rpc error: code = Unauthenticated desc = transport: impersonate: status code 403: {
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}
Usage:
  gatekeeper-security sources create [flags]

Flags:
      --description string                   (optional) description of the Security Command Center source (default "Reports violations from Gatekeeper audits")
      --display-name string                  (optional) display name of the Security Command Center source (default "Gatekeeper")
  -h, --help                                 help for create
      --impersonate-service-account string   (optional) Google service account to impersonate
      --organization string                  The numeric Google Cloud organization ID, see <https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id>

Permissions to Service Account

securitycenter-sources-admin@project.iam.gserviceaccount.com 
Security Center Sources Admin
Service Usage Consumer
-- | -- | --

Answer 1 · 2021-11-22T21:51:39.000Z

Thanks for raising this @Rahulsharma0810!

Does your user account have the roles/iam.serviceAccountTokenCreator role on the service account?

You can check this by running:

gcloud iam service-accounts get-iam-policy $SOURCES_ADMIN_SA

Answer 2 · 2021-11-23T05:05:31.000Z

Yes,

❯ gcloud iam service-accounts get-iam-policy $SOURCES_ADMIN_SA

bindings:
- members:
  - user:me@example.com
  role: roles/iam.serviceAccountTokenCreator
etag: BwXRYRAGvc0=
version: 1

Answer 3 · 2021-11-23T10:36:12.000Z

Thanks for verifying. I'll have to do some investigation to work out what's happening.

In the meantime, if your user account has the necessary roles at the organization level, you should be able to use gatekeeper-securitycenter to create a source in Security Command Center by leaving out the --impersonate-service-account flag.

Answer 4 · 2021-11-23T12:27:40.000Z

I am getting

export SOURCE_NAME=$(./gatekeeper-securitycenter sources create \
    --organization 880615745833 \
    --display-name "Gatekeeper" \
    --description "Reports violations from Policy Controller audits")
Error: it.Next error when finding source by display name: rpc error: code = PermissionDenied desc = Security Command Center API has not been used in project 96226117548 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/securitycenter.googleapis.com/overview?project=96226117548 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
error details: name = ErrorInfo reason = SERVICE_DISABLED domain = googleapis.com metadata = map[consumer:projects/96226117548 service:securitycenter.googleapis.com]
error details: name = Help desc = Google developers console API activation url = https://console.developers.google.com/apis/api/securitycenter.googleapis.com/overview?project=96226117548
Usage:
  gatekeeper-security sources create [flags]

Flags:
      --description string                   (optional) description of the Security Command Center source (default "Reports violations from Gatekeeper audits")
      --display-name string                  (optional) display name of the Security Command Center source (default "Gatekeeper")
  -h, --help                                 help for create
      --impersonate-service-account string   (optional) Google service account to impersonate
      --organization string                  The numeric Google Cloud organization ID, see <https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id>

securitycenter is already enabled from my project

The best part is project=96226117548, doesn't even exist in the org where i am trying to run this.

Any help is highly appreciated.

Answer 5 · 2021-11-26T03:59:18.000Z

I wonder if perhaps project=96226117548 is the quota project for your application default credentials?

Does the project ID you see when you run this command have project number=96226117548?

jq .quota_project_id < ~/.config/gcloud/application_default_credentials.json

If that's the case, you may have to update your application default credentials with an appropriate project.

I'll look into adding a --billing-project flag.

Answer 6 · 2021-12-25T00:05:18.000Z

This issue is stale because it has been open for 28 days with no
activity. It will automatically close after 14 more days of inactivity.

Answer 7 · 2022-02-06T00:06:48.000Z

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.