Fix GCP IAM Sa Create Errors
When working with GCP IAM, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with sa create and shows the exact fix.
A Common Mistake
Creating a service account but failing to grant it the necessary IAM roles on the resources it needs to access, resulting in permission denied errors at runtime.
The incorrect command:
gcloud iam service-accounts create my-service-sa --description="My service account" --display-name="My SA"
Error output:
Created service account [my-service-sa].
But when the application tries to access Cloud Storage, it gets:
403 Forbidden: The service account does not have permission to access the resource.
The service account was created but no roles were assigned to it, so it has zero permissions on any project resources.
The Correct Approach
The right way to configure sa create in GCP IAM:
gcloud iam service-accounts create my-service-sa --description="My service account" --display-name="My SA" && gcloud projects add-iam-policy-binding my-project --member=serviceAccount:my-service-sa@my-project.iam.gserviceaccount.com --role=roles/storage.objectAdmin
Successful result:
Created service account [my-service-sa].
Updated IAM policy for project [my-project].
The service account now has storage object admin access. The application can read and write objects in Cloud Storage buckets.
How to Prevent This
Always create the service account and assign roles in the same workflow. Use infrastructure-as-code (Terraform) to ensure roles are never forgotten. Check service account permissions with gcloud projects get-iam-policy my-project --format=json | jq '.bindings[] | select(.members[] | contains("my-service-sa"))'. Assign the minimum required roles immediately after creation.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro