profile
viewpoint

Ask questionsistio letsencrypt cert-manager cloudns dns01 failing with Google API Error 403

Hi All,

I have installed certmanager on GKE with issurers using clouddns provider for dns01 validation. The providers are using GCP serviceaccount with cloudns admin roles .

However, on deploying a certificate, all challenges are failing with this error error processing: GoogleCloud API call failed: googleapi: Error 403: Forbidden, forbidden

What could I be missing here?

My issuers are

---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: internal-issuer
spec:
  selfSigned: {}
---

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: mail@org.com
    privateKeySecretRef:
      name: letsencrypt-prod  
    dns01:
      providers:
        - name: clouddns
          clouddns:
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: service-account.json
            project: mygcpproject
---

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: mail@org.com
    
    privateKeySecretRef:
      name: letsencrypt-staging
    
    dns01:
      
      providers:
        
        - name: clouddns
          clouddns:
            serviceAccountSecretRef:
              name: clouddns-dns01-solver-svc-acct
              key: service-account.json
            project: mygcpproject
jetstack/cert-manager

Answer questions ayushlodhi11

@ayushlodhi11 can we specify less privilege permission?

not sure, haven't tried it.

useful!
source:https://uonfu.com/
Github User Rank List