Newly created service account needs "deploymentmanager.deployments.list" permissions but no indication how to do so

[cwilkes]

Created a service account with "Project - Owner" role and did a "serverless deploy" as said in the README.md and got this error.

Tried going through the https://console.cloud.google.com/iam-admin/serviceaccounts/project page to add that privilege, couldn't figure out a way to do that. Filed feedback on that.

Error --------------------------------------------------

 Error: Required 'deploymentmanager.deployments.list'
 permission for 'projects/XXXXX'

 For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.

Stack Trace --------------------------------------------

Error: Error: Required 'deploymentmanager.deployments.list' permission for 'projects/aec2-6b632'
at filArgs.reduce (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/serverless-google-cloudfunctions/provider/googleProvider.js:65:33)
at JWT.OAuth2Client._postRequest (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/auth/oauth2client.js:402:3)
at postRequestCb (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/auth/oauth2client.js:362:12)
at Request._callback (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/transporters.js:106:7)
at Request.self.callback (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:188:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:194:7)
at Request. (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:1171:10)
at emitOne (events.js:96:13)
at Request.emit (events.js:191:7)
at IncomingMessage. (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:1091:12)
at Object.onceWrapper (events.js:293:19)
at emitNone (events.js:91:20)
at IncomingMessage.emit (events.js:188:7)
at endReadableNT (_stream_readable.js:975:12)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
From previous event:
at PluginManager.run (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:156:22)
at Serverless.run (/usr/local/lib/node_modules/serverless/lib/Serverless.js:95:31)
at serverless.init.then (/usr/local/lib/node_modules/serverless/bin/serverless:23:50)
at process._tickCallback (internal/process/next_tick.js:109:7)

[pmuens]

Thanks for reporting @cwilkes 👍

Is the access to the deployment manager API in the API dashboard enabled?

[cwilkes]

Figured it out, the API was enabled but then I had to go in there and add "editor" privileges to my service account. It wasn't the easiest to find out.

[pmuens]

Thanks for the update on how to resolve it @cwilkes 👍

Noted ✏️

[jimcurtis]

I am getting the same error. I went to the IAM & Admin screen in GCP and selected my service account and entered the Service account ID of the service account and selected the Editor role and clicked on Add button. So, I think I have successfully added the "editor" priv to my service account as indicated by @cwilkes, but I still get the same error when I try to deploy.

[pmuens]

Hey @jimcurtis thanks for commenting and trying out the plugin!

🤔 @cwilkes was there anything else you had to do to get it working?

Just checked the IAM settings of our test project we've used to work on the plugin.

My User account and the "Serverless Framework" Service Account are Owner[s] of the project.

The following Service Accounts are Editors:

• Google APIs service account
• Compute Engine default service account
• App Engine default service account

[cliffano]

I'm hitting the same problem that @jimcurtis was having. API service enabled, I've added service account as Editor, and Owner. Still the exact same error.

I also tried changing the private key ID in the credentials JSON file to one that doesn't exist, but it still complains about the missing permission. How does it know that the service account doesn't have the permission when the private key ID that's supposed to tell which service account doesn't even exist?

@pmuens Any thoughts?

[cliffano]

I ended up solving the problem by creating a new service account using GCP console. The service account that kept failing was created using gcloud CLI.
HTH.

gcloud iam service-accounts create <project_name> --display-name "<project_name> service account"
gcloud iam service-accounts keys create /path/to/file.json --iam-account <project_name>-service-account@<project_name>.iam.gserviceaccount.com

> gcloud --version
Google Cloud SDK 166.0.0
bq 2.0.25
core 2017.08.07
gcloud
gsutil 4.27

[pmuens]

Thanks for providing the steps above to resolve the issue @cliffano 👍

Looks like this is smth. out of our control right now.

Would be nice to have some steps to reproduce this so that we can investigate further 🤔

[wintercounter]

Same issue here. Cannot resolve, I don't know what else to try.

Wrong project name :) Used the same I used for the credential name, which is wrong of course.

[pauldps]

I'm having this issue.

Created a brand new function using Serverless CLI, just to test things out. Then created a new Service Account under my GCP project, which has "Project -> Owner + Editor" permissions, saved the key in the proper place, changed serverless.yml and everything. Made sure all APIs were enabled as well.

But serverless deploy fails with the exact same error as in the OP.

I noticed that when creating a Service Account I can give them permissions under "Deployment Manager" in addition to "Project Owner". But any changes I make have no effect. Even multiple permissions have no effect. (I'd think that "Project Owner" should allow the key to do anything. I don't understand the need of adding "Editor" in there. In my case, adding Editor or anything else changes nothing.)

In GCP -> APIs & Services -> Dashboard, I can see that the "Google Cloud Deployment Manager V2 API" is giving me 100% errors for:

• deploymentmanager.deployments.list
• deploymentmanager.resources.list

And I can see it's using the new Service Account I created. I'm not sure what to do at this point, so any advice would be appreciated.

[Tamal]

To resolve this I had to create a new service account and gave role Owner, Editor and all the Deployment Managers. I noticed I had to give these roles during service account creation time. Adding new role(e.g. Editor) from IAM didn't work for me.

HTH

[andypmw]

Hi, I am following instructions at Serverless.com page:

1. Go to the Google Cloud API Manager and select "Credentials" on the left.
2. Click on "Create credentials" and select "Service account key".
3. Select "New service account" in the "Service account" dropdown.
4. Enter a name for your "Service account name" (e.g. "serverless-framework").
5. Select "Project" --> "Owner" as the "Role".
6. The "Key type" should be "JSON".
7. Click on "Create" to create your private key.
8. That's your so called keyfile which should be downloaded on your machine.
9. Save the keyfile somewhere secure. We recommend making a folder in your root folder and putting it there. Like this, ~/.gcloud/keyfile.json. You can change the file name from keyfile to anything. Remember the path you saved it to.

It makes error:
Error: Required 'deploymentmanager.deployments.list'

I am figured out that the created service account is not assigned these permission. So I take another approach:

1. Choose appropriate Google Cloud Project (example: my-serverless-project)
2. Click IAM & admin menu on left-sidebar
3. Then click Service accounts on left-sidebar
4. Click Create Service Account button and make sure your new service account email suffix will be my-serverless-project@iam.gserviceaccount.com
5. Input Service account name, appropriate Roles (permission needed), service account ID
6. Check Furnish a new private key
7. Hit CREATE button

Now you have a correct private key with correct permissions for the service account!

[apekshithr]

why is there a need to provide owner and editor roles? is it not possible to accomplish with just function developer, cloud deployment manager and storage admin role?

[dikatok]

I got the exact same issue with recent version (1.38.0). I even assigned project owner role to the service account and got the same error. Does anyone have a solution?

UPDATE ugh, I tried to use the originally provisioned compute service account (xxx-compute@developer.gserviceaccount.com) and were able to deploy the functions, while my created one keeps failing (serverless@myapp.iam.gserviceaccount.com)

[cyberfifi]

@dikatok
I got the same issue just today. Your solution works for me. Thanks a lot.

But I still feel uncomfortable that I have to generate a key for an almost super user. This unnecessarily increases the risk.
I still hope the owner of serverless or GCP could provide a solution for this.

[willycamargo]

I got the same issue here, and it solutions sound like an i18n bug.

My default google console language was "pt-BR".

I changed the language to "en" and checked the IAM roles, it was wrong.
So I deleted the user and create it again as requested on Serverless official docs, then the deploy command works fine.

So the solution for me was: change the project language to "en" before create the IAM User.

[uded]

Can someone, please, provide me with a POLICY file, so I can use gcloud to import that and start working?

Currently it seems that my service account do have proper permissions:

~/projects/service  gcloud projects get-iam-policy project
bindings:
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: roles/cloudfunctions.developer
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: roles/datastore.owner
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: *roles/deploymentmanager.editor*
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: roles/endpoints.portalAdmin
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: roles/file.editor
- members:
  - serviceAccount:serverless@project.iam.gserviceaccount.com
  role: roles/logging.admin
- members:
  - user:somebody.that@i.used.to.know
  role: roles/owner
etag: &&&&&&
version: 1
~/projects/service  gcloud beta iam roles list --filter="(name:roles/deploymentmanager.*)"
---
description: Read and Write access to all Deployment Manager resources.
etag: AA==
name: *roles/deploymentmanager.editor*
stage: GA
title: Deployment Manager Editor
---
description: Read and Write access to all Type Registry resources.
etag: AA==
name: roles/deploymentmanager.typeEditor
stage: GA
title: Deployment Manager Type Editor
---
description: Read-only access to all Type Registry resources.
etag: AA==
name: roles/deploymentmanager.typeViewer
stage: GA
title: Deployment Manager Type Viewer
---
description: Read-only access to all Deployment Manager resources.
etag: AA==
name: roles/deploymentmanager.viewer
stage: GA
title: Deployment Manager Viewer
~/projects/service  gcloud beta iam roles describe roles/deploymentmanager.editor
description: Read and Write access to all Deployment Manager resources.
etag: AA==
includedPermissions:
- deploymentmanager.compositeTypes.create
- deploymentmanager.compositeTypes.delete
- deploymentmanager.compositeTypes.get
- deploymentmanager.compositeTypes.list
- deploymentmanager.compositeTypes.update
- deploymentmanager.deployments.cancelPreview
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- *deploymentmanager.deployments.list*
- deploymentmanager.deployments.stop
- deploymentmanager.deployments.update
- deploymentmanager.manifests.get
- deploymentmanager.manifests.list
- deploymentmanager.operations.get
- deploymentmanager.operations.list
- deploymentmanager.resources.get
- deploymentmanager.resources.list
- deploymentmanager.typeProviders.create
- deploymentmanager.typeProviders.delete
- deploymentmanager.typeProviders.get
- deploymentmanager.typeProviders.getType
- deploymentmanager.typeProviders.list
- deploymentmanager.typeProviders.listTypes
- deploymentmanager.typeProviders.update
- deploymentmanager.types.create
- deploymentmanager.types.delete
- deploymentmanager.types.get
- deploymentmanager.types.list
- deploymentmanager.types.update
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
name: roles/deploymentmanager.editor
stage: GA
title: Deployment Manager Editor

I have marked the appropriate permissions in the list above. And, yet, I got:

  Error --------------------------------------------------

  Required 'deploymentmanager.deployments.list' permission for 'projects/project'

     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.

  Stack Trace --------------------------------------------

As one can import the policy file while creating a user account, can then someone - please - provide me with a default one? I can take it from there, but I need to understand what I have done wrong...

[amazingandyyy]

why this one is closed???

[jimsorock]

I know this is closed but just in case someone get this make sure you check your project name in serverless.yml matches the actual project name in GCP. #91 (comment)

[CrazyPython]

It worked for me after adding "Type Editor" and "Viewer" permissions in cloud project manager. ("Add Member")

[fuleinist]

I know this is closed but just in case someone get this make sure you check your project name in serverless.yml matches the actual project name in GCP. #91 (comment)

Thank you sir, you saved my day in 2023 : D