Environment Details
While connecting, GCP administrators can sometimes run into an error similar to the one below:
ERROR: (gcloud.iam.roles.update) PERMISSION_DENIED: You don't have permission to get the role at organizations/123456789098/roles/VantaProjectScanner.
Note: the organization ID will be unique to your organization. The ID above, 123456789098, is a random sequence of numbers used for example purposes only and will not be present in your specific error message.
Example from Cloud Shell
admin@cloudshell:~ (gcp-testing-123456)$ bash ./individual-projects-vanta-gcp-connection.sh "gcp-testing-123456""test-provider""test-prod"
[ Vanta ] Creating custom role VantaProjectScanner for listing project resources with configuration metadata.
Note: permissions [compute.subnetworks.get] are in 'TESTING' stage which means the functionality is not mature and they can go away in the future. This can break your workflows, so do not use them in production systems!
Are you sure you want to make this change? (Y/n)? y
ERROR: (gcloud.iam.roles.update) PERMISSION_DENIED: You don't have permission to get the role at organizations/185242803049/roles/VantaProjectScanner.
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: iam.googleapis.com
metadata:
permission: iam.roles.get
resource: organizations/123456789098/roles/VantaProjectScanner
reason: IAM_PERMISSION_DENIED
Cause
A common reason for this error is that the administrator running the shell commands does not have the owner role assigned at the organization level. The organization admin role is insufficient; we usually see this error when users need more permissions.
Resolution
Ensuring that your user in GCP has the minimum required permissions defined here.