Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

organization service account missing permissions when describing scc-notify #1283

Open
rdattilo opened this issue Jun 27, 2024 · 2 comments
Open

organization service account missing permissions when describing scc-notify #1283

rdattilo opened this issue Jun 27, 2024 · 2 comments
Assignees
@daniel-cit

Comments

@rdattilo
Copy link

rdattilo commented Jun 27, 2024
edited
Loading

If you follow the README-GitHub.md, under Deploying step 1-org, step 10:

gcloud scc notifications describe "scc-notify" --format="value(name)" --organization=${ORGANIZATION_ID} --impersonate-service-account=${ORG_STEP_SA}

produces this error:

ERROR: (gcloud.scc.notifications.describe) PERMISSION_DENIED: Caller does not have required permission to use project validator-project-111111. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=validator-project-111111 and then retry. Propagation of the new permission may take a few minutes. This command is authenticated as [email protected] which is the active account specified by the [core/account] property. Impersonation is used to impersonate [email protected].
- '@type': type.googleapis.com/google.rpc.Help
  links:
  - description: Google developer console IAM admin
    url: https://console.developers.google.com/iam-admin/iam/project?project=validator-project-427516
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    consumer: projects/validator-project-427516
    service: securitycenter.googleapis.com
  reason: USER_PROJECT_DENIED

I was able to run this successfully without impersonation, much like the instructions under the README.md under the 1-org folder under step 3:

gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}

Unsure what the correct course of action here is, however I thought you should be aware of the discrepancies between the two instructions.
@daniel-cit daniel-cit self-assigned this Jun 28, 2024
@daniel-cit
Copy link
Contributor

hi @rdattilo, thanks for your report.

I was able to reproduce the same error if I set the billing/quota_project in the gcloud configuration.
If I unset the billing quota project the error is not reproduced.

The SCC API bills the API in the project that is the parent of the Service Account used, but if a billing/quota_project is set it will try to bill the quota project instead. In this case the service account will need the roles/serviceusage.serviceUsageConsumer role.

I will add a note in the instructions to highlight that when using service account impersonation.

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label Aug 27, 2024
@daniel-cit daniel-cit removed the Stale label Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daniel-cit daniel-cit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daniel-cit @rdattilo