如何解决Terraform在GCP中为服务账号分配角色时出现的googleapi: Error 403: The caller does not have permission, forbidden错误

阿华AIGC实验室

2026-4-29

解决Terraform在GCP中通过Cloud Build给服务账号分配角色的403权限问题

先梳理下你的场景和提供的关键信息：

你的Terraform代码

sa.tf

resource "google_service_account" "mojo-terra" {
  account_id = "mojo-terra"
  description = "Service account used for terraform script"
}
resource "google_project_iam_member" "mojo-roles" {
  count = length(var.rolesList)
  role = var.rolesList[count.index]
  member = "serviceAccount:${google_service_account.mojo-terra.email}"
}

dev.tfvars

rolesList = [ "roles/iam.serviceAccountUser" ]

错误日志

Step #2: Error: Error when reading or editing Resource "project "poc-dev"" with IAM Policy: Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden
Step #2:
Step #2: Error: Error when reading or editing Resource "project "poc-dev"" with IAM Member: Role "roles/iam.serviceAccountUser" Member "serviceAccount:asadsfs@poc-dev-1221.iam.gserviceaccount.com": Error retrieving IAM policy for project "poc-dev": googleapi: Error 403: The caller does not have permission, forbidden

当前Cloud Build服务账号绑定的角色

自定义角色cloudbuild
Cloud Build Service Account
Service Account Admin
Create Service Accounts
Delete Service Accounts
Service Account User
Storage Admin

问题根源分析

你碰到的403错误核心原因是：Cloud Build服务账号缺少修改项目IAM策略的权限。你当前配置的角色里，Service Account Admin等只是针对服务账号本身的管理权限（比如创建、删除SA），但google_project_iam_member操作的是项目级别的IAM政策——这个动作需要读取和修改项目IAM规则的权限，而你的Cloud Build账号目前没有这些权限。

具体来说，Terraform执行google_project_iam_member时，需要两个关键权限：