Google Cloud : Error creating AlertPolicy: googleapi: Error 403

Question

We are triggering a bitbucket pipeline which provisions resources via terraform.

Service account with a role(comprising of appropriate permissions) is passed to job to make sure job succeeds.

While provisioning a google alert we saw below error

╷
│ Error: Error creating AlertPolicy: googleapi: Error 403: The caller does not have permission
│ 
│   with module.abc.google_monitoring_alert_policy.abc_error,

Role which is attached to service account has several permissions including related to alerting

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.update

So it has permission to create alert policy but it is failing.

Answer 1

There are 4 IAM roles and anyone of those three should be in place to create alerting policy in GCP

Monitoring Editor

Grants read-write access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope when using the Google Cloud console. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope.

Predefined role : roles/monitoring.editor

Monitoring Admin

Grants full access to Monitoring in the Google Cloud console and API, and grants read-write access to a metrics scope. Write access to a metrics scope grants permission to add (or remove) monitored Google Cloud projects to that metrics scope.

Predefined role : roles/monitoring.admin

Project Owner

The Monitoring permissions are the same as those in roles/monitoring.admin.

Predefined role : roles/owner

Alert Policy Editor

This role ID grants the minimal permissions that are needed to create an alerting policy. It has

monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update

Predefined role : roles/monitoring.alertPolicyEditor

Use either predefined role roles/monitoring.alertPolicyEditor or add monitoring.alertPolicies.list in order to create a alert policy.

Note :

Sometimes an alerting policy requires some extra permissions related to cloud logging and notification channels so you might need to provide roles/monitoring.editor role to create alerting policy.

References :

https://cloud.google.com/monitoring/alerts#cc-perms https://cloud.google.com/monitoring/alerts#api-perms

Answer 2

I am having the same issue. I used the workaround described here (assing project editor role) but can hardly imagine that it is intended to have all these permissions assigned to create an alert policy.

Update: I got some good advise on Github to check for the conditions block in the alert and to check which privileges are required for those. For me it ended up being the logging privileges.

Answer 3

I encountered a similar problem and resolved it by updating the permissions as outlined in this document:

Permissions Required for Log-Based Alerts: Google Cloud Logging Access Control - Log-Based Alert Permissions

It turned out that the roles/logging.configWriter role was not assigned to my service account, and adding it resolved the issue.