DEVHIDE
Login Or Sign up

Google Cloud : Error creating AlertPolicy: googleapi: Error 403

1.2k Views Asked by At

We are triggering a bitbucket pipeline which provisions resources via terraform.

Service account with a role(comprising of appropriate permissions) is passed to job to make sure job succeeds.

While provisioning a google alert we saw below error

╷
│ Error: Error creating AlertPolicy: googleapi: Error 403: The caller does not have permission
│ 
│   with module.abc.google_monitoring_alert_policy.abc_error,

Role which is attached to service account has several permissions including related to alerting

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.update

So it has permission to create alert policy but it is failing.

google-cloud-platform terraform bitbucket google-cloud-monitoring gcp-alerts
Original Q&A
3

There are 3 best solutions below

1
On

I encountered a similar problem and resolved it by updating the permissions as outlined in this document:

Permissions Required for Log-Based Alerts: Google Cloud Logging Access Control - Log-Based Alert Permissions

It turned out that the roles/logging.configWriter role was not assigned to my service account, and adding it resolved the issue.

0
On

I am having the same issue. I used the workaround described here (assing project editor role) but can hardly imagine that it is intended to have all these permissions assigned to create an alert policy.

Update: I got some good advise on Github to check for the conditions block in the alert and to check which privileges are required for those. For me it ended up being the logging privileges.

0
On

There are 4 IAM roles and anyone of those three should be in place to create alerting policy in GCP

Monitoring Editor

Grants read-write access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope when using the Google Cloud console. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope.

Predefined role : roles/monitoring.editor

Monitoring Admin

Grants full access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope.

Predefined role : roles/monitoring.admin

Project Owner

The Monitoring permissions are the same as those in roles/monitoring.admin.

Predefined role : roles/owner

Alert Policy Editor

This role ID grants the minimal permissions that are needed to create an alerting policy. It has

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Predefined role : roles/monitoring.alertPolicyEditor

Use either predefined role roles/monitoring.alertPolicyEditor or add monitoring.alertPolicies.list in order to create a alert policy.

Note :

Sometimes an alerting policy requires some extra permissions related to cloud logging and notification channels so you might need to provide roles/monitoring.editor role to create alerting policy.

References :

https://cloud.google.com/monitoring/alerts#cc-perms https://cloud.google.com/monitoring/alerts#api-perms

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in TERRAFORM

Related Questions in BITBUCKET

Related Questions in GOOGLE-CLOUD-MONITORING

Related Questions in GCP-ALERTS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.