Using terraform google provider Can the same user account be provided with the bigquery.DataViewer and bigquery.JobUser roles

Terraform Providers Google
1

Using terraform google provider Can the same user account be provided with the bigquery.DataViewer and bigquery.JobUser roles

We tried with two different approaces :

  1. By using a Custom role with all permissions from both the roles
    Error received is below :
> Request `Create IAM Members roles/gke_role_name serviceAccount:<*****>@<*****>.iam.gserviceaccount.com for project "*****"` returned error: Error applying IAM policy for project "*****"`: Error setting IAM policy for project "*****"`: googleapi: Error 400: Role roles/gke_role_name is not supported for this resource., badRequest
> │ 
> │   with google_project_iam_member.gke_role_name_member["roles/gke_role_name"],
> , in resource "google_project_iam_member" "gke_role_name_member":
> │  resource "google_project_iam_member" "gke_role_name_member" {
  1. By directly defining two seperate resources each for google_bigquery_dataset_access and google_project_iam_member. Actually dataViewer was already provided :

This fails too with the error :

Error creating DatasetAccess: googleapi: Error 400: IAM setPolicy failed for Dataset <project-name>:<dataset>: Role roles/bigquery.JobUser is not supported for this resource., invalid

  1. Apparently these two roles can be added using the google console (tested it out in a lower cluster) to confirm whether its a google issue or a terraform one.
2

Hoping you figured this out by now, but just in case, pretty sure fixing the casing (to roles/bigquery.jobUser) should fix this for you.

I would definitely use the two standard roles vs. a custom one if it solves your use case; much lower maintenance.

3

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.