kubernetes Google Cloud Service Account with 'roles/container.admin'

2w2cym1i  于 2023-04-20  发布在  Kubernetes
关注(0)|答案(3)|浏览(137)

我试图创建一个服务帐户与'roles/container.admin',我得到一个错误,说角色不支持此资源。

$ gcloud iam service-accounts add-iam-policy-binding sa-ci-vm@PROJECT-ID.iam.gserviceaccount.com --member='serviceAccount:sa-ci-vm@PROJECT-ID.iam.gserviceaccount.com' --role='roles/container.admin'

ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.admin is not supported for this resource.

如果我从CONSOLE UI创建一个服务帐户,我可以毫无问题地添加此角色。

ewm0tg9j

ewm0tg9j1#

您必须使用gcloud projects在项目级别为服务帐户添加角色,如下所示。
这对我很有效:

gcloud projects add-iam-policy-binding PROJECT_ID \ 
--member serviceAccount:sa-ci-vm@PROJECT-ID.iam.gserviceaccount.com \
--role roles/container.admin
qlzsbp2j

qlzsbp2j2#

我得到了同样的错误。你必须给予出角色的绝对路径。
cloud iam service-accounts add-iam-policy-bindingSERVICEACCOUNT-member=SERVICEACCOUNT_EMAIL-role=projects/PROJECTNAME/roles/ROLENAME

ut6juiuv

ut6juiuv3#

正如Vinayak指出的,你需要引用角色的ID,其中包括projects/$project_id。我在Terraform中遇到了这个问题,所以如果你在Terraform中创建角色和绑定,请确保引用自定义角色,如下所示:

resource "google_project_iam_member" "binding" {
    project = var.project_id
    role    = google_project_iam_custom_role.custom_role.id
    member  = "serviceAccount:${google_service_account.sa.email}"
}

resource "google_project_iam_custom_role" "custom_role" {
    project = var.project_id
    role_id = "CustomRole"
    title   = "custom role"
    permissions = [
        "pubsub.snapshots.create",
        "pubsub.snapshots.delete",
        ...
    ]
}

相关问题