I have the following script I'd like to execute to create my service account and give it a Cloud Build Service Account role.
# create service account for github actions
gcloud iam service-accounts create github-actions --display-name="Github Actions"
# add iam permissions to github actions service account
gcloud iam service-accounts add-iam-policy-binding github-actions#project-id.iam.gserviceaccount.com --member='serviceAccount:github-actions#project-id.iam.gserviceaccount.com' --role='roles/cloudbuild.builds.builder'
The execution fails on the last command with
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.builder is not supported for this resource.
I don't know what that means or better said what I can do to solve that. I need that service account to have that role so I can start Cloud Build through my Github Actions pipeline with that service account.
This can be confusing. Service Accounts have a "dual nature". They can be treated as resources and identities just not at the same time. See Managing Service Accounts
You're attempting to grant a Service Account (github-actions#project-id.iam.gserviceaccount.com) an IAM binding. In this case, the Service Account is a resource. The binding you're attempting to make references the same Service Account (github-actions#project-id.iam.gserviceaccount.com), this time as an identity. This is not possible.
You possibly (!?) want to grant the binding (as it is) to the project (!) not the Service Account:
PROJECT=[[YOUR-PROJECT]]
ACCOUNT=github-actions
EMAIL="${ACCOUNT}#${PROJECT}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member="serviceAccount:${EMAIL}" \
--role='roles/cloudbuild.builds.builder'
But, please ensure that is your intent before issuing that command.
Related
GCP allows the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.
gcloud iam service-accounts add-iam-policy-binding GSA_NAME#GSA_PROJECT.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
We would like to create the same via Terraform resource and we tried this way, refer: article
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "GSA_NAME#GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]",
]
}
But we received the below error:
Error: "service_account_id" ("XXX#XXX.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))#[a-z]+.gserviceaccount.com$|[0-9]{1,20}-compute#developer.gserviceaccount.com|a-z#[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"
What's wrong here?
service_account_id is the fully-qualified name of the service account to apply the policy to.
projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL
I want to create a user via gcloud tools in terminal not using the user interface.
I can create a service account using gcloud tools like this: gcloud iam service-accounts create my-service-account --display-name="My Service Account" and give it permissions like this gcloud projects add-iam-policy-binding project-name --member="serviceAccount:my-service-account#project-name.iam.gserviceaccount.com" --role="roles/editor"
I can't find the way to do this for a user instead of a service account. The closest I could find was to run: gcloud projects add-iam-policy-binding my-project --member="user:person#gmail.com" --role="roles/editor" which results in the error ERROR: Policy modification failed because the user does not exist. If I create the user manually in the user interface then adding roles works.
How do I create the user via gcloud? This is what it looks like in the user interface..
Turns out gcloud projects add-iam-policy-binding my-project --member="user:person#gmail.com" --role="roles/editor" does 'add' the user.
Re: Kolban's comment. There might be a misunderstanding since I don't want to create a gmail user I just want to do the equivalent of adding them (+ADD button above) and type into the "new principals" textbox and add a role. Above code works.
The Add Button in the permissions pages (IAM) does not result in the creation of a new user (i.e. it does not ADD a user). Instead, what the add means is that we are adding permissions to the authority of the user. Clicking add allows us to name an existing identity and also the role we wish to add to the user.
The equivalent gcloud command would be gcloud projects add-iam-policy-binding that is currently documented in the GCP documentation here.
There are 2 commands I am confused for some time:
gcloud iam service-accounts get-iam-policy
gcloud iam service-accounts set-iam-policy
from the --help command, these 2 commands treat service account as a resource, most often I use service account as an identity, for example, in a project, set policy by binding role with service account so this service account can operate on something in that project.
Can someone please point out what is the usage to attach the policy to service account? how does service account act as a resource rather than an identity?
As explained in this below part of the official documentation Managing service accounts
:
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
So, use it as a resource has to goal for you to manage who can use and control the service account. To provide some additional details, as in this example here, with the policies attached to them, you can configure the level of access that different users can have within service accounts - as mentioned there, you can configure that some users have viewer access, while others have editor level.
To summarize, the functinality of attaching policies to a service account is for you to set different levels of access and permissions to users who can access the service account.
I have a service account in gcloud that i am using to create a new topic and subscription to that topic in that order.
However i need to be able to assign the newly created subscription to the service account explicitly. In the UI this is done by going to
Pubsub > Subscription > Selecting the subscription and then clicking on "Search member" > Adding the service account.
However I want to automate this using the gcloud command.
So far I have been able to :
1) Activate a service account serviceAccountA
2) Create Topic
3) Create subscription to the Topic
While trying to use the following command to set iam policy on the service account so as to give pubsub.editor role to the service account.
gcloud iam service-accounts set-iam-policy serviceAccountA <json> file path>
Json file content is as below:
{
"bindings": [
{
"role": "roles/pubsub.editor",
"members": ["serviceAccountA"]
}
]
}
The above gcloud command results in the error:
ERROR: (serviceAccountA PERMISSION_DENIED: Not allowed to get project settings for project <id>
I am missing something. Is there an easy way to associate the subscription with a specific service account?
I suspect the problem is that the service account you've activated doesn't have permissions to give itself permissions. Try setting this with a gcloud account that has edit permissions for the project. You can set the current account with gcloud auth login or gcloud config configurations activate <your_config>.
I want to create a service account on GCP using a python script calling the REST API and then give it specific roles - ideally some of these, such as roles/logging.logWriter.
First I make a request to create the account which works fine and I can see the account in Console/IAM.
Second I want to give it the role and this seems like the right method. However, it is not accepting roles/logging.logWriter, saying HttpError 400, "Role roles/logging.logWriter is not supported for this resource.">
Conversely, if I set the desired policy in console, then try the getIamPolicy method (using the gcloud tool), all I get back is response etag: ACAB, no mention of the actual role I set. Hence I think these roles refer to different things.
Any idea how to go about scripting a role/scope for a service account using the API?
You can grant permissions to a GCP service account in a GCP project without having to rewrite the entire project policy!
Use the gcloud projects add-iam-policy-binding ... command for that (docs).
For example, given the environment variables GCP_PROJECT_ID and GCP_SVC_ACC the following command grants all privileges in the container.admin role to the chosen service account:
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member=serviceAccount:${GCP_SVC_ACC} \
--role=roles/container.admin
To review what you've done:
$ gcloud projects get-iam-policy $GCP_PROJECT_ID \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:${GCP_SVC_ACC}"
Output:
ROLE
roles/container.admin
(or more roles, if those were granted before)
Notes:
The environment variable GCP_SVC_ACC is expected to contain the email notation for the service account.
Kudos to this answer for the nicely formatted readout.
You appear to be trying to set a role on the service account (as a resource). That's for setting who can use the service account.
If you want to give the service account (as an identity) a particular role on the project and its resources, see this method: https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy