Reputation: 2203
Service accounts permissions
I'm quite new to GCP. I have a service account with following roles:
I created a json key for it and used it to authenticate a gcloud client. This client is running on an instance on that project on that service account. I seem not to have permissions for anything:
# gcloud auth activate-service-account cloudbreak@**********-lab.iam.gserviceaccount.com --key-file **********-lab-804c90ab0a14.json
# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* cloudbreak@**********-lab.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
# gcloud compute regions list
ERROR: (gcloud.compute.regions.list) Some requests did not succeed:
- Required 'compute.regions.list' permission for 'projects/**********-lab'
# gcloud projects get-iam-policy **********-lab
ERROR: (gcloud.projects.get-iam-policy) User [cloudbreak@**********-lab.iam.gserviceaccount.com] does not
have permission to access project [**********-lab:getIamPolicy] (or it may not exist): The caller does n
ot have permission
What am I missing?
Upvotes: 1
Views: 2993
Answers (3)
Reputation: 31
To repair your service accounts you can follow the hints in https://cloud.google.com/iam/docs/understanding-service-accounts.
The reason for the strange behavior is described as follows: It is possible to delete a service account and then create a new service account with the same name. If you reuse the name of a deleted service account, it may result in unexpected behavior. [...] If you create a new service account with the same name as a recently deleted service account, the old bindings may still exist
To remedy the issue:
- Create the service account with the same name
- Revoke all roles/permissions granted to that service account (will remove permissions from the old account)
- Grant the needed permissions (will grant them on the new account)
Upvotes: 2
Reputation: 319
There is a long standing bug in GCP in which deleting a service account and recreating it with the same name can cause issues with its permissions not being recognised. The behaviour you describe (creating a new service account with the same permissions and seeing it work) matches the symptoms of this bug.
Upvotes: 3
Reputation: 2203
I solved this by creating a new service account (with same roles) and using that one instead. I don't know what happens to the other one
Upvotes: 0
Related Questions
- service account roles to deploy google cloud function
- Service account under own domain
- How to grant service account access to a user account on google cloud
- Scope of Service Account in GCP
- GCP-IAM - How to grant access to all service account in organization?
- How do I use gcloud with a service account?
- How to set service account permission from IAM api
- Google cloud service account permissions to CloudSQL
- gcloud installed on gce instance with service level accounts permission issues
- Service accounts inconsistencies