The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource

Asked 14/11, 2018 at 22:40 Answered 12/10, 2023 at 9:24

google-api google-cloud-platform google-iam

The above error message is being thrown when I try to add a task to a queue. Here is my setup and the info about this problem:

Project ID: my-project
Service Account ID: my-service-account
Task Queue Name: my-queue
Task Queue Location: asia-northeast1 (one of the few locations where Cloud Task is currently in beta)

Also, let's confirm that all the above exist and are running.

When I check my service account roles by POSTING to https://cloudresourcemanager.googleapis.com/v1/projects/my-project:getIamPolicy

I receive a response similar to:

{
    "status": 200,
    "data":
    {
        "version": 1,
        "etag": "BwV6nNWJg4E=",
        "bindings": [
        {
            "role": "roles/cloudtasks.admin",
            "members": [
                "serviceAccount:[email protected]"
            ]
        },
        {
            "role": "roles/cloudtasks.enqueuer",
            "members": [
                "serviceAccount:[email protected]"
            ]
        }]
    }
}

As you can see, my-service-account has the following 2 roles:

roles/cloudtasks.admin
roles/cloudtasks.enqueuer

Both of those roles have the cloudtasks.tasks.create permission baked in.

When I try to add a task to the Cloud Task using the following:

POST https://cloudtasks.googleapis.com/v2beta3/projects/my-project/locations/asia-northeast1/queues/my-queue/tasks + task payload

I receive the following error message:

{
    "status": 403,
    "data":
    {
        "error":
        {
            "code": 403,
            "message": "The principal (user or service account) lacks IAM permission \"cloudtasks.tasks.create\" for the resource \"projects/my-project/locations/asia-northeast1/queues/my-queue\" (or the resource may not exist).",
            "status": "PERMISSION_DENIED"
        }
    }
}

This really puzzles me.

Is there anybody who knows what I might be doing wrong?

Latonya answered 14/11, 2018 at 22:40 Comment(6)

I'm getting the same issue out of nowhere. My creds were working great, and with no code changes, this error started popping up. No solution on my side. – Rawlings 19/12, 2018 at 18:5

To fix this I had to blow up all the roles and then re-add them. The only thing that comes to my mind is that I change the roles on the console, and then I also used the API. I feel that updating the roles mixing the API and the console might have created that bug. – Latonya 24/12, 2018 at 5:26

find with client_email is using this function you will find it in service.json go to cloud console IAM and click on add role .. give it admin role :D I know it might be a bit insecure but if it works then you can plan around some good role to improve security – Reniti 15/6, 2021 at 12:34

You might also be interested in #63269693 – Reasoned 28/6, 2021 at 12:48

Does this answer your question? creating Google Cloud Task in a firebase function – Reasoned 28/6, 2021 at 12:49

Thanks @Reasoned but this did not fix my issue. Unless, I'm misunderstanding their solutions, this is the same as what I did above. My service account had all the documented roles. Eventually, I gave up on this using this architecture and moved on implementing something else. – Latonya 29/6, 2021 at 0:59

First check which service account is used for calling the API. It looks that whatever makes API calls uses default service account that may not have proper permissions.

Sometimes if you omit wchich service account has to be user in API call then default account will be used and you may get authenticated with credentials that don't won't let you create tasks.

I recommend using API keys to authenticate to rule out any confusion with which service account is being authenticated.

Very similar case was discussed (and solved) here.

Rimarimas answered 25/9, 2020 at 11:17 Comment(0)

For me, I had listed the wrong queue.name (i.e. not the fully-qualified name) in the request, which cause this weird API error.

I discovered this error after looking at the source code for the Node Cloud Tasks client:

https://github.com/googleapis/google-cloud-node/blob/main/packages/google-cloud-tasks/samples/quickstart.js

Uniocular answered 24/9, 2019 at 15:54 Comment(0)

You can grant access to your service account with the following command:

gcloud projects add-iam-policy-binding {project} \
    --member=serviceAccount:{service-account-email} \
    --role=roles/cloudtasks.enqueuer

Notice that Google Cloud will take some minutes to apply this change (even if the cli returns, you will need to wait)

Ginkgo answered 18/10, 2022 at 17:12 Comment(0)

I have no clues why that worked, but I blew out all the roles and then added them again and then it worked. Seems to be a bug on Google Cloud Platform.

Latonya answered 15/11, 2018 at 8:31 Comment(0)

What worked for me was providing the project ID in the cloud tasks resource block:

resource "google_cloud_tasks_queue" "configuration" {
  name     = var.cloud_tasks_queue_id
  location = var.region
  project  = var.project_id
}

I had the exact same problem giving me an authorization error, however, this worked for me.

Note: What's confusing is that the Terraform documentation describes the project_id attribute as optional...

Pentapody answered 12/10, 2023 at 9:24 Comment(0)

Recommended topics

Hot tags