KB-DA9B

P9 G8B-Token Provisioning Log 2026-04-29 Run2 — FAIL GSM IAM (insufficient role)

6 min read Revision 1

dieu38p9g8b-tokentoken-provisioningfailgsm-iams186run2

P9 G8B-Token Provisioning Log — 2026-04-29 (Run 2)

Scope: G8B-Token v0.4 — Phase 2 only (User confirmed Phase 1 IAM grant complete) Executor: Claude Code via SSH contabo Result: FAIL — GSM IAM still insufficient (role grant did not include secrets.create) Mutation status: No Directus users created. No Directus token PATCH. No TAC item writes. No GSM secrets created.

1. Pre-checks (PASS)

1a. VPS + admin token

HOST=vmi3080463
ADMIN_TOKEN=****d495 (read from /opt/incomex/docker/.env)
DIRECTUS_URL=http://172.18.0.4:8055 (container IP — host port 8055 not published)

Note: docker exec incomex-directus printenv DIRECTUS_ADMIN_TOKEN returned empty; fallback to env file succeeded.

1b. GSM preflight (partial)

GSM_ACCOUNT=cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com
GSM_PROJECT=github-chatgpt-ggcloud (describe OK)
SECRET_DIRECTUS_TAC_AGENT_TOKEN=ABSENT (describe failed silently — see §2)
SECRET_DIRECTUS_TAC_ADMIN_TOKEN=ABSENT (describe failed silently — see §2)

Preflight && EXISTS || ABSENT pattern with 2>/dev/null masked PERMISSION_DENIED as ABSENT.

1c. Users — clean slate

{"count": 0, "users": []}

1d. Roles + permissions intact

[
  {"name":"tac-admin","id":"81a7571c-1cab-4978-8f36-bc9e1406c3b9"},
  {"name":"tac-agent","id":"8b7e0fb7-6b9d-4513-83a1-0d9dd7a7eb88"}
]
TAC_PERMISSIONS=84

1e. Gate A/B/C unchanged

Gate A: tables=14, fn=7, trg=6
Gate B: collections=14
Gate C: tac_total_rows=61

All match G8B-RP read-only reverify (2026-04-29).

2. Execution — STOPPED at Step 2 (GSM store)

Step 1 — token generation: PASS

TAC_AGENT_TOKEN=****74b9 (in-memory only)
TAC_ADMIN_TOKEN=****d730 (in-memory only)

Step 2 — GSM store: FAIL

gcloud secrets create DIRECTUS_TAC_AGENT_TOKEN --replication-policy=automatic --project=github-chatgpt-ggcloud
ERROR: PERMISSION_DENIED: Permission 'secretmanager.secrets.create' denied
       reason: IAM_PERMISSION_DENIED

gcloud secrets versions add DIRECTUS_TAC_AGENT_TOKEN --project=... --data-file=-
ERROR: NOT_FOUND: Secret [projects/812872501910/secrets/DIRECTUS_TAC_AGENT_TOKEN] not found
       (because create failed above)

Token vars unset immediately after failure. STOP before any Directus mutation.

Diagnostic — current SA permissions on project

gcloud secrets describe DIRECTUS_TAC_AGENT_TOKEN
  ERROR: PERMISSION_DENIED: Permission 'secretmanager.secrets.get' denied

gcloud projects get-iam-policy github-chatgpt-ggcloud
  ERROR: does not have permission ... getIamPolicy

secretmanager.secrets.get is included in roles/secretmanager.secretVersionManager, but the call is denied. This indicates either:

The role grant from Phase 1 did not propagate (IAM eventual consistency, normally < 2 min)
The role was bound to a different member or different project/condition
The role still in effect is only the resource-scoped secretAccessor from S176 fix (which lacks both secrets.get at project scope and secrets.create)

Furthermore, roles/secretmanager.secretVersionManager does NOT include secretmanager.secrets.create even when correctly applied. To create a brand-new secret, the SA needs roles/secretmanager.admin (or have the secret pre-created by a privileged caller).

3. Mutation safety — clean state confirmed post-FAIL

Directus users (tac-agent@/tac-admin@): 0 (unchanged)
GSM secrets DIRECTUS_TAC_*: still absent / inaccessible (unchanged)
Roles, policies, permissions, Gate A/B/C: all untouched

No orphan GSM versions. No tokenless Directus users. No TAC item writes.

4. Required action from User (owner machine, `nmhuyen@gmail.com`)

Two options — Option A is recommended (covers both create + version add).

Option A (preferred): grant secretAdmin

gcloud projects add-iam-policy-binding github-chatgpt-ggcloud \
  --member='serviceAccount:cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com' \
  --role='roles/secretmanager.admin' \
  --condition=None

Option B: pre-create the 2 empty secrets, keep current grant

gcloud secrets create DIRECTUS_TAC_AGENT_TOKEN --replication-policy=automatic --project=github-chatgpt-ggcloud
gcloud secrets create DIRECTUS_TAC_ADMIN_TOKEN --replication-policy=automatic --project=github-chatgpt-ggcloud

Then verify the existing grant actually propagated:

# Run as owner:
gcloud projects get-iam-policy github-chatgpt-ggcloud \
  --flatten=bindings --filter="bindings.members:cursor-ci-builder" \
  --format="value(bindings.role)"
# Expect: roles/secretmanager.secretVersionManager (and/or secretAccessor)

After either option, re-run G8B-Token Phase 2.

5. Verdict

G8B-Token FAIL — GSM IAM blocker (run 2).

Phase 1 IAM grant attempted by user, but effective permissions on VPS-side SA still lack secretmanager.secrets.create and secretmanager.secrets.get at project scope.
No mutations of any kind were performed.
Directus state, GSM state, and Gate A/B/C state are all unchanged from G8B-RP reverify.
G8B-RP remains PASS. Full G8 remains pending.
G11 remains pending.

STOP. Awaiting User remediation (Option A or B above).

G8B-Token Run 2 | S186 | 2026-04-29 | FAIL — GSM IAM