GCP Create Project via Python

Question

I have an organization under which I want to create a project using python, as per the documentation, without mentioning the parent , service account throws error as below "Service accounts cannot create projects without a parent.". Details: "Service accounts cannot create projects without a parent."

Hence I provided a parent as below,

def create_signer(googleservice, principal, key, version):

    google_token_uri = 'https://oauth2.googleapis.com/token'
    if not all(['principal', 'key']):
        raise Exception('Google secret missing principal and/or key')
    signer = crypt.RSASigner.from_string(key.strip())
    credential = service_account.Credentials(signer, principal,
                                             google_token_uri)
    service = build(googleservice, version, credentials=credential,
                    cache_discovery=False)
    return service


def create_project():

    service = create_signer('cloudresourcemanager', principal, key, 'v1')
    operation = service.projects().create(
        body={
            'parent': {'type': 'organization', 'id': '72******78*8'},
            'project_id': 'abcd1234'
        }).execute()
    print(operation)

But this throws below error, googleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects?alt=json returned "The caller does not have permission". Details: "The caller does not have permission">

I have created a custom role at organization level with below permissions and attached it to my service account created at project level(since organization does not allow creating service accounts at organization level),

iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
orgpolicy.constraints.list
orgpolicy.policies.list
orgpolicy.policy.get
resourcemanager.folders.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.create
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

Can someone please help me with this issue? I have all the required permissions but still having throws 403 error

Just to add, gcp list api call projects works fine

Answer 1

According to the error that you provided in the link it seems like you have authentication problem. Sufficient scope is not added in the API. You need to add scope in your code.Try to add :

1. googleapis.com/auth/cloud-platform

2. googleapis.com/auth/cloud-platform.read-only

scopes in your code.

You can refer to stackoverflow case which will help you.