GCP : Unable to create a k8s cluster with a custom service account

0
votes

I created a specific service account in GCP for provisioning clusters in my project :

gcloud iam service-accounts create [sa_name]

gcloud projects add-iam-policy-binding \
    [project_id] \
    --role=roles/container.admin \
    --member=serviceAccount:[sa_name]@[project_id].iam.gserviceaccount.com

gcloud iam service-accounts keys create [keyfile_name] \
  --iam-account=[sa_name]@[project_id].iam.gserviceaccount.com

gcloud auth activate-service-account --key-file=[keyfile_name]

When I run the command gcloud container clusters create [cluster_name]

I always get :

ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Required "container.clusters.create" permission(s) for "projects/context-platform-staging". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

As you can see, I use roles/container.admin but I even tried to apply the roles/editor and roles/owner to this service account, same behavior.

The only way this command works so far is to use my main google owner account (not a service account).

What am I missing here ?

1
google-cloud-platformgcloudgoogle-kubernetes-engineservice-accounts
Is the default project gcloud config list project the same project that you created the service account for and you are using to create the cluster? My thinking is that your service account has privilege in one project and you are creating the cluster in a different project. Another item. What permissions does the project default service account have? You either need to specify --service-account=XXX or the project default service account needs permissions to create VMs.John Hanley
Yes, there is only one project and gcloud config is well configured to use it. Not sure what you mean by project default service account, else I only use my owner account atm to do the privileged actions.Sylver
You need the permission roles/iam.serviceAccountUser to the default service account (the service account that is assigned to the nodes in the cluster).John Hanley
As I said, even the roles/owner get a 403 with the CLI while I have no issue from the web console. I added a whole bunch of roles to this owner account anyway, but still get permission denied. The right account is selected in gcloud auth list as in gcloud config list along with the right project. I even append the --project [project name] flag to the command. Whatever I do I get a 403Sylver

1 Answers

0
votes

From the error message, I understood that the service account does not have the permission "container.clusters.create".

Please add the "Container Engine Cluster Admin" and also "Container Engine Admin" roles on the service account that the cluster is being created with:.

To create a cluster, you need both "container.clusters.create" permission on the project. You also need to assign the role “roles/iam.serviceAccountUser” to the user who will use the service account. In this way, the user can access GKE's service account.

For more information and in-depth tutorial, please refer to this article in the GCP documentation.