topic Re: Error while adding GCP account (permission denied) in Prisma Cloud Discussions

Error while adding GCP account (permission denied)

FAllard — Wed, 02 Sep 2020 17:17:18 GMT

Hi,

I am trying out RedLock using the trial and I am having issues trying to configure my GCP project. I followed the instructions carefully at https://docs.paloaltonetworks.com/redlock/redlock-admin/connect-your-cloud-platform-to-redlock/onboard-your-gcp-account/set-up-gcp-account-for-redLock-service.html

I got permissions error. I even tried temporarily to add Project Owner and I still get the following error.

Any idea?

Re: Error while adding GCP account (permission denied)

kchen — Mon, 01 Jul 2019 14:38:37 GMT

Could you post a screenshot of your Service Account's list of permissions? Did you make sure to create a Custom Role that allows storage bucket access?

Re: Error while adding GCP account (permission denied)

FAllard — Tue, 02 Jul 2019 13:25:12 GMT

See below. As you can see, I added a lot more roles in an attempt to make it work...

Re: Error while adding GCP account (permission denied)

kchen — Tue, 02 Jul 2019 14:54:51 GMT

Not too sure what else it could be. Ran a few tests to try different scenarios (key deleted from Service Account), but I could only get that message to reproduce if the Service Account did not have the necessary permissions on the project you are trying to onboard. The only thing I can think of is that the permissions are added to a different project than the Service Account. Is that the case here?

Re: Error while adding GCP account (permission denied)

FAllard — Tue, 02 Jul 2019 15:22:59 GMT

I am not sure what you mean by that "the permissions are added to a different project than the Service Account". The permissions are added to a Service Account that is part of a project. I import the Service Account Key (JSON) which contains the project information. Nowhere in RedLock I specify a project or do I assign permissions in the project outside of the service account.

Re: Error while adding GCP account (permission denied)

lpingali — Tue, 02 Jul 2019 16:37:17 GMT

Just as a check, if you remove the extra permissions you added, does it throw the 'Permission denied" error again? Keeping only the 3 required permissions:

ProjectViewer
CustomRedLock Viewer
Compute EngineCompute Security Admin

Re: Error while adding GCP account (permission denied)

FAllard — Tue, 02 Jul 2019 17:35:45 GMT

That's the first thing I tried since I followed the instructions. I tried again and I get the same error. See my service account roles below: