We Keep Coding

How to create the GCP workload identity IAM bindings in Terraform?

GCP allows the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.
gcloud iam service-accounts add-iam-policy-binding GSA_NAME#GSA_PROJECT.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]"
We would like to create the same via Terraform resource and we tried this way, refer: article
resource "google_service_account_iam_binding" "service-account-iam" {
service_account_id = "GSA_NAME#GSA_PROJECT.iam.gserviceaccount.com"
role = "roles/iam.workloadIdentityUser"
members = [
"serviceAccount:PROJECT_ID.svc.id.goog[NAMESPACE/KSA_NAME]",
]
}
But we received the below error:
Error: "service_account_id" ("XXX#XXX.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\.)(?:a-z?):)?(?:[0-9]{1,19}|(?:a-z0-9?))#[a-z]+.gserviceaccount.com$|[0-9]{1,20}-compute#developer.gserviceaccount.com|a-z#[-a-z0-9\.]{1,63}\.iam\.gserviceaccount\.com$)"
What's wrong here?

service_account_id is the fully-qualified name of the service account to apply the policy to.
projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_EMAIL

error in add-iam-policy-binding to ESP end point service GCloud

I am trying to create an end point for an API to be deployed into existing GKE cluster by following the instructions in Getting started with Cloud Endpoints for GKE with ESPv2
I clone the sample code in the repo and modified the content of openapi.yaml:
# [START swagger]
swagger: "2.0"
info:
description: "A simple Google Cloud Endpoints API example."
title: "Endpoints Example"
version: "1.0.0"
host: "my-api.endpoints.my-project.cloud.goog"
I then deployed it via the command:
endpoints/getting-started (master) $ gcloud endpoints services deploy openapi.yaml
Now I can see that it has been created:
$ gcloud endpoints services list
NAME TITLE
my-api.endpoints.my-project.cloud.goog
I also have postgreSQL service account:
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
my-postgresql-service-account my-postgresql-service-acco#my-project.iam.gserviceaccount.com False
In the section Endpoint Service Configuration of documentation it says to add the role to the attached service account for the endpoint service as follows, but I get this error:
$ gcloud endpoints services add-iam-policy-binding my-api.endpoints.my-project.cloud.goog
--member serviceAccount:my-postgresql-service-acco#my-project.iam.gserviceaccount.com
--role roles/servicemanagement.serviceController
ERROR: (gcloud.endpoints.services.add-iam-policy-binding) User [myusername#mycompany.com] does not have permission to access services instance [my-api.endpoints.my-project.cloud.goog:getIamPolicy] (or it may not exist): No access to resource: services/my-api.my-project.cloud.goog
The previous lines show the service exits, I guess? Now I am not sure how to resolve this? What permissions do I need? who can give me permission and what permissions he should have? how can I check? Is there any other solution?

The issue got resolved after I was assigned the role of "Project_Admin". It was not ideal as it was giving too much permission to me. The role "roles/endpoints.portalAdmin" was also tried but did not help.

Can't create role for service account because it is "not supported for this resource"

I have the following script I'd like to execute to create my service account and give it a Cloud Build Service Account role.
# create service account for github actions
gcloud iam service-accounts create github-actions --display-name="Github Actions"
# add iam permissions to github actions service account
gcloud iam service-accounts add-iam-policy-binding github-actions#project-id.iam.gserviceaccount.com --member='serviceAccount:github-actions#project-id.iam.gserviceaccount.com' --role='roles/cloudbuild.builds.builder'
The execution fails on the last command with
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.builder is not supported for this resource.
I don't know what that means or better said what I can do to solve that. I need that service account to have that role so I can start Cloud Build through my Github Actions pipeline with that service account.

This can be confusing. Service Accounts have a "dual nature". They can be treated as resources and identities just not at the same time. See Managing Service Accounts
You're attempting to grant a Service Account (github-actions#project-id.iam.gserviceaccount.com) an IAM binding. In this case, the Service Account is a resource. The binding you're attempting to make references the same Service Account (github-actions#project-id.iam.gserviceaccount.com), this time as an identity. This is not possible.
You possibly (!?) want to grant the binding (as it is) to the project (!) not the Service Account:
PROJECT=[[YOUR-PROJECT]]
ACCOUNT=github-actions
EMAIL="${ACCOUNT}#${PROJECT}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ${PROJECT} \
--member="serviceAccount:${EMAIL}" \
--role='roles/cloudbuild.builds.builder'
But, please ensure that is your intent before issuing that command.

Service Account Unable to Interact with GKE Cluster in Another Project

A service account ($SERVICE_ACCOUNT_A) from one Google Cloud Platform (GCP) project ($PROJECT_A) is unable to interact with a Google Kubernetes Engine (GKE) cluster ($GKE_CLUSTER_B) within another GCP project ($PROJECT_B); where:
$PROJECT_A is the name of the project $SERVICE_ACCOUNT_A lives within
$SERVICE_ACCOUNT_A is of the form some-name#some-project-name#.iam.gserviceaccount.com
$PROJECT_B is the name of the project the $GKE_CLUSTER_B cluster lives within
$GKE_CLUSTER_B is a GKE cluster name, not context, of the form: some_cluster
$SERVICE_ACCOUNT_A is unable to interact with a $GKE_CLUSTER_B despite possessing roles from $PROJECT_B containing permissions that should allow it to do so.
I.e., first I created a custom role $ROLE:
gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=container.clusters.get,container.clusters.list \
--project=$PROJECT_B \
--title='$ROLE_TITLE'
#=>
Created role [$ROLE].
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
- container.clusters.get
- container.clusters.list
name: projects/$PROJECT_B/roles/$ROLE
stage: . . .
title: $ROLE_TITLE
then I associated $ROLE, from $PROJECT_B, with $SERVICE_ACCOUNT_A:
gcloud projects add-iam-policy-binding $PROJECT_B \
--member=serviceAccount:$SERVICE_ACCOUNT_A \
--role=projects/$PROJECT_B/roles/$ROLE
#=>
Updated IAM policy for project [$PROJECT_B].
auditConfigs:
. . .
and I am able to see $ROLE under $SERVICE_ACCOUNT_A:
gcloud projects get-iam-policy $PROJECT_B \
--flatten='bindings[].members' \
--format='value(bindings.role)' \
--filter="bindings.members:${SERVICE_ACCOUNT_A}"
#=>
projects/$PROJECT_B/roles/$ROLE
with the proper permissions:
gcloud iam roles describe $ROLE \
--flatten='includedPermissions' \
--format='value(includedPermissions)' \
--project=$PROJECT_B
#=>
container.clusters.get
container.clusters.list
but still unable to get $SERVICE_ACCOUNT_A to interact with $GKE_CLUSTER_B.
Why?

You need to enable the Kubernetes Engine API (found here) for $PROJECT_A, even if $PROJECT_A doesn't have or need a GKE cluster.
You can confirm this by creating a new JSON key for $SERVICE_ACCOUNT_A:
gcloud iam service-accounts keys create \
./some-key.json \
--iam-account="${SERVICE_ACCOUNT_A}" \
--key-file-type="json"
#=>
created key [$KEY_ID] of type [json] as [./some-key.json] for [$SERVICE_ACCOUNT_A]
activate the service account:
gcloud auth activate-service-account \
"${SERVICE_ACCOUNT_A}" \
--key-file=./some-key.json
#=>
Activated service account credentials for: [$SERVICE_ACCOUNT_A]
confirm it's active:
cloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
. . .
* $SERVICE_ACCOUNT_A
your#account.user
. . .
To set the active account, run:
$ gcloud config set account `ACCOUNT`
and attempt to interact with $GKE_CLUSTER_B:
gcloud container clusters list --project=$PROJECT_B
#=>
ERROR: (gcloud.container.clusters.list) ResponseError: code=403, message=Kubernetes Engine API has not
been used in project $PROJECT_A_ID before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=$PROJECT_A_ID
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our
systems and retry.
where $PROJECT_A_ID is a numeric id of the form: xxxxxxxxxxxxx.
Visit the address returned along with the 403 above (here) and enable the Kubernetes Engine API. $SERVICE_ACCOUNT_A should now be able to interact with GKE clusters within $PROJECT_B:
gcloud container clusters list \
--project=$PROJECT_B \
--format='value(name)
#=>
. . .
some_cluster
. . .
including $GKE_CLUSTER_B.

ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default"

I have a gcp service account with kubernetes engine admin role, I get an error trying to create new cluster. Any ideas?
gcloud auth activate-service-account --key-file service_account.json
gcloud config set project my_proj_name
gcloud container clusters create dummy --num-nodes=3 -m n1-standard-8 --zone europe-west1-b
ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
.

Issue solved after setting the service account role to the 'Editor' since kubernetes Engine Admin was not sufficient to create new cluster.

Seems your user does not have access to the service account or service account does not have the right role. You can check service account user role to your user and give Editor, compute admin and service account actor roles.