How do I entitle serviceAccounts via gcloud command-line for Kubernetes API access?

Question

I'm trying to automate creation of service accounts for use with GKE via the gcloud command-line tool. I've figured out a flow that appears to mirror the process used by the Google Cloud Console, but my users don't see to receive the appropriate access.

Here's the commands I'm executing in order:

# Environment:
# - uname=<username>
# - email=<user's email address>
# - GCLOUD_PROJECT_ID=<project identifier>
# - serviceAccount="${uname}@${GCLOUD_PROJECT_ID}.iam.gserviceaccount.com"
$ gcloud iam service-accounts \
    create "${uname}" --display-name "email:${email}" --format json
$ gcloud projects \
    add-iam-policy-binding "${GCLOUD_PROJECT_ID}" \
        --member "serviceAccount:${serviceAccount}" \
        --role=roles/container.developer --format=json
$ gcloud iam service-accounts keys \
    create "${GCLOUD_PROJECT_ID}-${uname}.json" \
        --iam-account="${serviceAccount}"

When this executes, it creates a new service account and generates a key file locally. I then try to use this key to get credentials for my Kubernetes cluster.

$ gcloud config configurations create devcluster --activate
$ gcloud config set project devnet-166017
$ gcloud config set compute/zone us-central1-b
$ gcloud auth activate-service-account \
    --key-file="${GCLOUD_PROJECT_ID}-${uname}.json"
$ gcloud container clusters get-credentials devcluster
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: \
    code=403, message=Required "container.clusters.get" permission for \
    "projects/${GCLOUD_PROJECT_ID}/zones/us-central1-b/clusters/devcluster".

It appears that for some reason my service account doesn't have one of the permissions it needs to get credentials, but based on what I've read and what I've observed in the Console, I believe this permission should be part of the roles/container.developer role.

Thanks!

Answer 1

I assume by service account, you mean the Service Account for Google Cloud. Here are the IAM roles related to GKE: https://cloud.google.com/container-engine/docs/iam-integration (search for container.).

First create a service account:

gcloud iam service-accounts create --display-name "GKE cluster access" gke-test

Then create a key:

gcloud iam service-accounts keys create key.json --iam-account=gke-test@[PROJECT_ID].iam.gserviceaccount.com

Now you need to assign some roles to this service account, your options are:

• roles/container.admin Full management of Container Clusters and their Kubernetes API objects.
• roles/container.clusterAdmin Management of Container Clusters.
• roles/container.developer Full access to Kubernetes API objects inside Container Clusters.
• roles/container.viewer Read-only access to Container Engine resources.

Again look at https://cloud.google.com/container-engine/docs/iam-integration page for details.

I assign roles/container.viewer (a read-only role, minimum you can assign to get-credentials) to this service account:

gcloud projects add-iam-policy-binding [PROJECT_ID] --role=roles/container.viewer --member=serviceAccount:gke-test@[PROJECT_ID].iam.gserviceaccount.com

Logout on gcloud from your current account:

gcloud auth revoke

Login to gcloud with the service account key:

gcloud auth activate-service-account --key-file=key.json

Try get-credentials:

$ gcloud container clusters get-credentials test --zone us-west1-a
Fetching cluster endpoint and auth data.
kubeconfig entry generated for test.

It works. I tried it with roles/container.developer, which also works.

You can try other permissions and see what works and what doesn't, although you made it clear that the documentation doesn't make it clear which roles have access to container.clusters.getCredentials.