Enable APIs using serviceusage API with a service account
V

3

12

I want to create an automatic deployment of GCP for clients.

In order to do that, I have opened a page for them to login with google, and then enabled the IAM API and the Service Usage API.

Then I have created a service account that I want to use from this point forward in order to enable other required APIs on demand and not all at once.

When I try to enable the cloudkms API, I get

googleapiclient.errors.HttpError: <HttpError 403 when requesting https://serviceusage.googleapis.com/v1/projects/x-y-z/services/cloudkms.googleapis.com?alt=json returned "The caller does not have permission"

I tried using the service account credentials (google.auth.jwt.Credentials) that I have created from the response of creating the service account, and I have added all the required permissions. I don't want to grant the role owner to the service account, because I want the account to have as less permissions as possible.

When I try to get the status of cloudkms API using the user's permissions, it works.

I have seen some solutions addressing me needing to create credentials for the service account here : https://console.developers.google.com/apis/credentials but I really need to do this programatically as well.

My code:

credentials = jwt.Credentials.from_service_account_file(service_account_info['email'] + '.json', audience="https://www.googleapis.com/auth/cloud-platform")
# credentials = GoogleCredentials.get_application_default() - it works with this
service_usage = googleapiclient.discovery.build('serviceusage', 'v1', credentials=credentials)
service_usage.services().get(name="projects/<project_id>/services/cloudkms.googleapis.com").execute()

The error was mentioned above.

Vite answered 8/5, 2019 at 10:56 Comment(0)
M
16

You need the Cloud IAM permission serviceusage.services.enable to enable services. Depending on what features your require, such as listing services, you need serviceusage.services.list.

Typically you add the role roles/serviceusage.serviceUsageAdmin which includes the following permissions:

  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.enable
  • serviceusage.services.disable
Moraine answered 9/5, 2019 at 0:59 Comment(1)
I actually used the roles/owner and added it to the policy, and put the service account under it, and it still doesn't work.Vite
M
9
  1. Goto IAM
  2. Edit user selected
  3. Add new rol
  4. Type Service Usage Admin
  5. Save
Marder answered 7/3, 2022 at 21:47 Comment(1)
I had to scroll to it - didn't find it typingGist
X
0

I run into the same problem. Using owner account had 403 error responses. I had an GCP_SERVICE_ACCOUNT_CREDENTIALS_FILE_PATH set up in my .env file and IDE pick up this file automatically. So basically was using one of the service accounts which haven't had required permissions

Xylophone answered 6/11, 2023 at 20:32 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.