Problem
When trying to set up a Security Command Center (SCC) notification to publish findings to a Pub/Sub topic as described in this guide, the gcloud scc notifications create command throws the following error:
DEBUG: (gcloud.scc.notifications.create) User [USER@DOMAIN.com] does not have permission to access organization [ORGANIZATION_NUMBER] (or it may not exist): The caller does not have permission.
USER@DOMAIN.com has the correct permissions outlined in the aforementioned guide and the organization number is correct.
Environment
- Security Command Center (SCC)
- Pub/Sub topic in a project inside VPC Service Controls perimeter (VPC SC)
- Pub/Sub API is one of the VPC SC protected services (VPC SC)
Solution
Option 1
- Use a Pub/Sub topic that is not protected using VPC Service Controls.
Option 2
- Remove Pub/Sub API from the protected services in your current VPC SC temporarily.
- Run the same gcloud scc notifications create command again to create the notification configuration.
- Add the SCC service account that will be created to your VPC SC Access Policy.
- Re-add Pub/Sub API to your VPC SC Protected Services.
Cause
Security Command Center is an Organization level object, while a Pub/Sub topic is a Project level object. VPC Service Controls doesn't support Organization level objects and doesn't consider a parent Organization as a part of its child Project perimeter.
Therefore, attempts of Organization level objects to connect to Project level objects protected using a VPC SC will always fail as a RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violation.
Therefore, attempts of Organization level objects to connect to Project level objects protected using a VPC SC will always fail as a RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violation.