Can't assign Cloud SQL roles
unittolabs opened this issue · 2 comments
unittolabs commented
Hey, guys!
I faced with the problem during setting Cloud SQL roles for a service account with the next config:
module "service-accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "3.0.1"
project_id = local.project_id
names = ["${local.prefix}-cluster-proxy"]
project_roles = [
"${local.project_id}=>roles/cloudsql.instances.connect",
"${local.project_id}=>roles/cloudsql.instances.get",
]
}
The errors is: Final error: Error applying IAM policy for project "<project_id>": Error setting IAM policy for project "<project_id>": googleapi: Error 400: Role roles/cloudsql.instances.connect is not supported for this resource., badRequest
Does anyone have an idea of what is wrong here and how to fix it?
morgante commented
Those are actually the permissions not the roles. You probably want to use the roles/cloudsql.client role.
module "service-accounts" {
source = "terraform-google-modules/service-accounts/google"
version = "3.0.1"
project_id = local.project_id
names = ["${local.prefix}-cluster-proxy"]
project_roles = [
"${local.project_id}=>roles/cloudsql.client"
]
}
unittolabs commented
Those are actually the permissions not the roles. You probably want to use the
roles/cloudsql.clientrole.module "service-accounts" { source = "terraform-google-modules/service-accounts/google" version = "3.0.1" project_id = local.project_id names = ["${local.prefix}-cluster-proxy"] project_roles = [ "${local.project_id}=>roles/cloudsql.client" ] }
You have right! I was confused about permissions / roles. Thanks!