missing permission on "billingAccounts/XXXXXXXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create Terraform (GCP)

Asked 6/4, 2020 at 5:49 Answered 10/5, 2024 at 7:43

Solved google-cloud-platform terraform terraform-provider-gcp

I tried to automate the Shared VPC creation on GCP by using Terraform. I have enabled all the access to my service account (Org Admin, XpnAdmin, Storage Admin, Compute admin, Billing Admin)

But when i executed terraform apply it's throwing me following error:

missing permission on "billingAccounts/CXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create

I'm referring the Google provider Github code for this demo.

Acidimetry answered 6/4, 2020 at 5:49 Comment(3)

Billing Account Administrator has the required permissions. This means that the service account that you are using with Terraform does not have the role roles/billing.admin. – Mojgan 6/4, 2020 at 6:38

I've run into the same issue and I have Billing Admin permissions. – Navarra 8/4, 2020 at 5:16

Hey @john Hanley Thanks for your comment, Yup after i gave a billing admin access issue got resoled. Thanks a lot. May God Bless You:) – Acidimetry 10/4, 2020 at 7:2

It's quite likely you have the billing admin, but you also need the ability to create billing assignments, or "Billing Project Manager".

https://cloud.google.com/billing/v1/how-tos/access-control

billing.resourceAssociations.create AND resourcemanager.projects.createBillingAssignment on the Cloud Billing account.

There's some handy code to bootstrap a service account - Google Project Factory - You might want to have a look at that. Once that SA is created you shouldn't have permissions issues

Hoarfrost answered 8/4, 2020 at 9:43 Comment(2)

Thanks for your answer, now i resolved this issue by enabling the billing admin access to my SA. May God Bless You :) – Acidimetry 10/4, 2020 at 7:3

@Ravi k I've the same error, could you please explain how did you solve this issue? How should I enableing the billing admin to my already exists SA? – Irremissible 9/9, 2020 at 7:16

I was getting same error even my "Service Account" had the necessary "Organization" level permissions. Then I figured out, I need to give permission from "Billing Account". It worked.

I was following this tutorial to create projects via "Service Account" and "Terraform", but still was getting error. After some research, I followed this how-to and gave permission from "Billing Account".

Project, Organization and Billing are 3 separate components for permissions. Giving "Organization" level is not enough. The permission should be given from "Billing Account" as well.

Glabrescent answered 28/4, 2021 at 7:41 Comment(0)

It's quite likely you have the billing admin, but you also need the ability to create billing assignments, or "Billing Project Manager".

https://cloud.google.com/billing/v1/how-tos/access-control

billing.resourceAssociations.create AND resourcemanager.projects.createBillingAssignment on the Cloud Billing account.

There's some handy code to bootstrap a service account - Google Project Factory - You might want to have a look at that. Once that SA is created you shouldn't have permissions issues

Hoarfrost answered 8/4, 2020 at 9:43 Comment(2)

Thanks for your answer, now i resolved this issue by enabling the billing admin access to my SA. May God Bless You :) – Acidimetry 10/4, 2020 at 7:3

@Ravi k I've the same error, could you please explain how did you solve this issue? How should I enableing the billing admin to my already exists SA? – Irremissible 9/9, 2020 at 7:16

I faced the same problem and consumed about 3 hours.

As a result, I found that we needed to set up the role on the Billing account side.

As shown in the picture below, you need to grant the Billing role to the *** service account*** where Cloud Billing will run.

Cleocleobulus answered 10/5, 2024 at 7:43 Comment(0)

I faced the same issue. You can now assign the role to an identity with this gcloud CLI command (as of the time of writing is still on alpha):

gcloud alpha billing accounts add-iam-policy-binding 123456-ABCDEF-123ABD \
  --member "serviceAccount:youserviceaccount@projectID-of-the-serviceaccount.iam.gserviceaccount.com" \
  --role="roles/billing.user"

https://cloud.google.com/sdk/gcloud/reference/alpha/billing/accounts/add-iam-policy-binding

Venita answered 5/7, 2023 at 8:29 Comment(0)

-1

This error generally comes when you are logged into to machine/laptop and set default credentials to run terraform. Thereafter you got a new account or have been asked to use new account and you are authenticating using gcloud auth login / or gcloud auth application-default login. This will still use the previous account billing account. It is recommended to use Google CloudShell to run terraform script first time.

Depressed answered 15/2, 2022 at 12:7 Comment(0)

-1

I was getting this error when I had an old (deleted) billing account Id in my Terraform config.

Urquhart answered 8/2, 2023 at 12:41 Comment(0)

Recommended topics

Hot tags