I created a specific service account in GCP for provisioning clusters in my project :
gcloud iam service-accounts create [sa_name]
gcloud projects add-iam-policy-binding \
[project_id] \
--role=roles/container.admin \
--member=serviceAccount:[sa_name]#[project_id].iam.gserviceaccount.com
gcloud iam service-accounts keys create [keyfile_name] \
--iam-account=[sa_name]#[project_id].iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=[keyfile_name]
When I run the command gcloud container clusters create [cluster_name]
I always get :
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Required "container.clusters.create" permission(s) for
"projects/context-platform-staging". See
https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted
for more info.
As you can see, I use roles/container.admin but I even tried to apply the roles/editor and roles/owner to this service account, same behavior.
The only way this command works so far is to use my main google owner account (not a service account).
What am I missing here ?
From the error message, I understood that the service account does not have the permission "container.clusters.create".
Please add the "Container Engine Cluster Admin" and also "Container Engine Admin" roles on the service account that the cluster is being created with:.
To create a cluster, you need both "container.clusters.create" permission on the project. You also need to assign the role “roles/iam.serviceAccountUser” to the user who will use the service account. In this way, the user can access GKE's service account.
For more information and in-depth tutorial, please refer to this article in the GCP documentation.
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
I'm trying to setup an auto stop/start of some of my VMs in GCP and I already have an VM admin permission but when adding a VM to a instance schedule created I'm getting below error:
Compute Engine System service account service-5424xxxxxxx#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation.
The problem is that the service service-5424xxxxxxx#compute-system.iam.gserviceaccount.com does not have a role that contains the permissions compute.instances.start and compute.instances.stop.
The following roles contain that permission:
Compute Instance Admin - roles/compute.instanceAdmin
Compute Instance Admin (v1) - roles/compute.instanceAdmin.v1
Use the Google Cloud Console GUI to add the desired role or use the CLI:
gcloud projects add-iam-policy-binding REPLACE_WITH_PROECT_ID \
--member "serviceAccount:service-5424xxxxxxx#compute-system.iam.gserviceaccount.com" \
--role "roles/compute.instanceAdmin.v1"
Of course, use the correct service account email address.
I know you can allow members to impersonate service accounts in GCP. Is it possible to allow one service account to impersonate another?
My use case is I have compute instances used for CI (running without many privileges) under service-account-a#mydomain.google.com.
I need them to be able to impersonate service-account-b#mydomain.google.com, which has privileges on the resources and objects it will deploy.
Is that possible?
Yes, you can grant permission for a service account (SA_A) to impersonate another service account (SA_B).
This requires that the service account (SA_A) possess the Service Account Token Creator role roles/serviceAccountTokenCreator on the resource SA_B.
The following grants SA_A to impersonate SA_B:
gcloud iam service-accounts add-iam-policy-binding [SA_B_FULL_EMAIL] \
--member serviceAccount:[SA_A_FULL_EMAIL] \
--role roles/iam.serviceAccountTokenCreator
REQUIREMENTS
The user executing the above command requires a number of items:
The following APIs must be enabled:
iamcredentials.googleapis.com
cloudresourcemanager.googleapis.com
These commands enable the APIs:
gcloud services enable iamcredentials.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
The user requires the role roles/serviceusage.serviceUsageConsumer.
gcloud projects add-iam-policy-binding [PROECT_ID] \
--member "[ACCOUNT]" \
--role "roles/serviceusage.serviceUsageConsumer"
gcloud iam service-accounts add-iam-policy-binding
Google Cloud – Improving Security with Impersonation
Managing service account impersonation
I am trying to launch a notebook instance in AI platform but getting this error:
You are missing at least one of the following required permissions:
Project
compute.instances.list
But for the current project within the role as defined by project owner this permission has already been given apart from other compute instance permissions.
But still gives the permission error.
Thanks for help in advance
The service account used to create a notebook instance in Google AI platform is the default Compute Engine service account which has the primitive roles/editor.
Permission: Compute Engine default service account
The Compute Engine default service account is created with the Cloud
IAM project editor role, but you can modify the service account's
roles to securely limit which Google APIs the service account can
access.
You can check that the roles/editor includes compute.instances.list :
gcloud iam roles describe roles/editor | grep compute.instances.list
For troubleshooting check:
If you have the default compute service account:
gcloud iam service-accounts list | grep compute#developer.gserviceaccount.com
gcloud iam service-accounts describe your-project-number-compute#developer.gserviceaccount.com
Check the roles of the default compute service account:
gcloud projects get-iam-policy your-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:your-project-number-compute#developer.gserviceaccount.com"
Assuming you are the owner of the project, you should be able to create a new notebook instance with the default compute engine service account.
I attempting to use an activated service account scoped to create and delete gcloud container clusters (k8s clusters), using the following commands:
gcloud config configurations create my-svc-account \
--no-activate \
--project myProject
gcloud auth activate-service-account my-svc-account#my-project.iam.gserviceaccount.com \
--key-file=/path/to/keyfile.json \
--configuration my-svc-account
gcloud container clusters create a-new-cluster \
--configuration my-svc-account \
--project= my-project
--zone "my-zone"
I always receive the error:
...ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
How do I grant my-svc-account access to the default service account for GKE?
After talking to Google Support, the issue was that the service account did not have a "Service Account User" permissions activated. Adding "Service Account User" resolves this error.
Add the following role to the service account who makes the operation:
Service Account User
Also see:
https://cloud.google.com/kubernetes-engine/docs/how-to/iam#service_account_user
https://cloud.google.com/iam/docs/service-accounts#the_service_account_user_role
https://cloud.google.com/iam/docs/understanding-roles
For those that ended up here trying to do an Import of Firebase Firestore documents with a command such as:
gcloud beta firestore import --collection-ids='collectionA','collectionB' gs://YOUR_BUCKET
I got around the issue by doing the following:
From the Google Cloud Console Storage Bucket Browser, add the service account completing the operation to the list of members with a role of Storage Admin.
Re-attempt the operation.
For security, I revoked the role after the operation completed, but that's optional.
iam.serviceAccounts.actAs is the exact permission you need from Service Account User
I was getting the The user does not have access to service account... error even though I added the Service Account User role as others have suggested. What I was missing was the organization policy that prevented service account impersonation across projects. This is explained in the docs: https://cloud.google.com/iam/docs/impersonating-service-accounts#enabling-cross-project
Added Service Account User role to service account and it worked for me.