'Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/, forbidden

I am trying to create GKE cluster from terraform. I have an existing service account and I don't want to create any new service account instead use the one which I have.

I am getting error while running my terraform script, can you please suggest.

I am referring to this link here: https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest

provider "google" {
  credentials =file("xxx.json")
  project     = "myproject"
  region      = "us-east1"
}


module "gke" {
  source                     = "terraform-google-modules/kubernetes-engine/google"
  project_id                 = "myproject_id"
  name                       = "gke-test-2"
  region                     = "us-east1-c"
  zones                      = ["us-east1-b","us-east1-d"]
  network                    = "VPC"
  subnetwork                 = "VPC_SUBNET"
  ip_range_pods              = "us-east-1-subnet1"
  ip_range_services          = "us-east-1-subnet2"
  http_load_balancing        = false
  network_policy             = false
  horizontal_pod_autoscaling = true
  filestore_csi_driver       = false

  node_pools = [
    {
      name                      = "default-node-pool"
      machine_type              = "e2-medium"
      min_count                 = 1
      max_count                 = 2
      local_ssd_count           = 0
      disk_size_gb              = 100
      disk_type                 = "pd-standard"
      image_type                = "COS_CONTAINERD"
      auto_repair               = true
      auto_upgrade              = true
      service_account           = "[email protected]"
      preemptible               = false
      initial_node_count        = 2
    },
  ]

  node_pools_oauth_scopes = {
    all = []

    default-node-pool = [
      "https://www.googleapis.com/auth/cloud-platform",
    ]
  }

  node_pools_labels = {
    all = {}

  }

  node_pools_metadata = {
    all = {}

    default-node-pool = {
      node-pool-metadata-custom-value = "my-node-pool"
    }
  }

  node_pools_taints = {
    all = []

  }

  node_pools_tags = {
    all = []

  }
}
terraformgoogle-kubernetes-engine


Solution 1:[1]

You need to add the role Create Service Accounts (iam.serviceAccounts.create) to your service account to create service accounts when creating the cluster.

Or else you can assign the Service account Admin role to the existing service account.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Harsh Manvar

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

How to enable terraform module only with a specific workspace

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Terragrunt ignores newly added outputs in a project

tls unsigned certificate when using terraform

What is the best way to solve `EntityAlreadyExists` error in terraform?

Terraform: How to create API Gateway endpoints and methods from a list of objects?

Terraform - refactoring modules: Error: Provider configuration not present

Passing multiple provider aliases to a module in terraform 0.12.13

What is the AWS Service Principal value for stepfunction?

Terraform - Use of environment variables in TF files

Terraform : Init