organizations_iam: "Role roles/securityReviewer is not supported for this resource"

Question

organizations_iam: "Role roles/securityReviewer is not supported for this resource"

choonchernlim opened this issue 5 years ago · 8 comments

Given the following code...

module "org_iam" {
  source        = "../../modules/iam/modules/organizations_iam"
  organizations = ["99999999"]
  mode          = "additive"
  bindings = {
    "roles/resourcemanager.organizationAdmin" = ["serviceAccount:abc@abc.iam.gserviceaccount.com"]
    "roles/securityReviewer"                  = ["serviceAccount:abc@abc.iam.gserviceaccount.com"]
  }
}

I'm getting this error...

Error: Error applying IAM policy for organization "99999999": Error setting IAM policy for organization "99999999": googleapi: Error 400: Role roles/securityReviewer is not supported for this resource., badRequest

  on ../../modules/iam/modules/organizations_iam/main.tf line 40, in resource "google_organization_iam_member" "organization_iam_additive":
  40: resource "google_organization_iam_member" "organization_iam_additive" {

When I go into GCP's IAM page, I was able to assign that role manually to that service account without error.

The other binding (roles/resourcemanager.organizationAdmin) works fine, but I'm not sure why it's failing on just roles/securityReviewer. Using authoritative mode yields the same result.

Can you share some insight on this on how I might be able to fix this?

Thank you.

Answer 1 · 2020-01-27T20:45:36.000Z

The name of the role is roles/iam.securityReviewer not roles/securityReviewer so please try that.

In general, almost all GCP IAM roles come in the form of {service}.{role}.

Answer 2 · 2020-01-27T20:54:11.000Z

Thank you very much, @morgante. That works. I was following Forseti's documentation and it looks like they have a typo. It was fixed literally 5 minutes ago.

Answer 3 · 2020-01-27T21:02:24.000Z

https://forsetisecurity.org/docs/latest/setup/install.html#iam-roles this page should be fixed too. I'm not sure where the source code of that page is.

Answer 4 · 2020-01-27T21:07:25.000Z

@blueandgold can you help get the website fixed as well?

Answer 5 · 2020-01-27T22:04:00.000Z

Thanks for the heads up, the website documentation is already correct.

Answer 6 · 2020-01-27T23:20:01.000Z

Hi @blueandgold, the doc for the IAM roles for the forseti server service account is correct as indicated in the picture. But the service account shown here https://forsetisecurity.org/docs/latest/setup/install.html#iam-roles which is used to spawn the forseti instance has the role name listed incorrectly.

Answer 7 · 2020-01-27T23:33:58.000Z

@xingao267 good catch, will fix that and see if we can centralize the content.

Answer 8 · 2020-01-27T23:42:24.000Z

Opened PR #3605 on the forseti repo.