You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.
resource"google_project_iam_member""project_iam_additive" {
member ="serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com"
project ="carto-dw-ac-iz45b23s"
role ="roles/bigquery.dataOwner"
}
Our Google provider version is 5.7.0
Debug Output
Error: Request `Create IAM Members roles/bigquery.connectionAdmin serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com for project "carto-dw-ac-iz45b23s"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.connectionAdmin serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com for project \"carto-dw-ac-iz45b23s\"" both failed. Final error: Error applying IAM policy for project "carto-dw-ac-iz45b23s": Error setting IAM policy for project "carto-dw-ac-iz45b23s": googleapi: Error 400: Email 'cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com' is not the primary email address for unique ID '118050033781291738342' of deleted member 'cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com?uid=118050033781291738342'., badRequest
Expected Behavior
Changes applied without error
Actual Behavior
It throws a 400 error
Steps to reproduce
No response
Important Factoids
The Service Account mentioned in the error is not managed with Terraform and apparently has been deleted (CDW-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com?uid=118050033781291738342)
If that entry in the IAM is manually deleted, the Terraform apply works flawless
References
No response
The text was updated successfully, but these errors were encountered:
miguelangelmorenochacon
changed the title
400 error with the project_iam_additive resource
400 error with the project_iam_additive resource
Apr 1, 2024
This error message seems to be related to Terraform attempting to create an IAM policy for a service account. It appears that there's an issue with the email address associated with the service account.
The error message indicates that the email address cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com is not the primary email address for the unique ID 118050033781291738342 of a deleted member.
From this point you need to check the email address and the unique ID
Terraform attempted to create an IAM policy for a service account with the email address carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com in the project carto-dw-ac-iz45b23s
Both a batch request and a retried single request failed
The final error states that setting the IAM policy failed due to a Google API error with status code 400 (Bad Request).
The specific error message from the Google API indicates that the email address cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com is not the primary email address for the unique ID 118050033781291738342 of a deleted member.
It seems there may be a mismatch or inconsistency in the IAM configuration or the service account's state in the GCP project. You might need to investigate the state of the service account, ensure it exists and is properly configured, and verify that the email address associated with it matches the one Terraform is attempting to use. Additionally, check for any deleted members or outdated configurations that might be causing this issue.
But I don't understand, the Service Account IAM policy I'm trying to set has nothing to do with the cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com, why is Terraform failing because of an external IAM policy not declared in the Terraform code? Why aren't those resource completely independent?
@miguelangelmorenochacon this is an issue related to your user permissions, you need to read the terraform documentation for permissions to understand that both are separated topics. This issue was replicated with a simple configuration without errors messages as it is in this link.
Community Note
Terraform Version
1.5.4
Affected Resource(s)
project_iam_additive
Terraform Configuration
We're using Google IAM module
The final resource in the plan is
Our Google provider version is
5.7.0
Debug Output
Expected Behavior
Changes applied without error
Actual Behavior
It throws a 400 error
Steps to reproduce
No response
Important Factoids
The Service Account mentioned in the error is not managed with Terraform and apparently has been deleted (
CDW-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com?uid=118050033781291738342
)If that entry in the IAM is manually deleted, the Terraform apply works flawless
References
No response
The text was updated successfully, but these errors were encountered: