Reputation: 4431
Can't add Storage Admin role to GCP service account
I am looking at the IAM Service Accounts tab in the GCP control panel. I am editing a Service Account. I click "Grant Access," enter the email of the service account I am creating and attempt to add Storage Admin.
However, there is no such option in the list.
Also, a seemingly equivalent attempt to do this via the CLI fails:
gcloud projects add-iam-policy-binding my-project-id \
--member='serviceAccount:[email protected]' \
--role='projects/my-project-id/roles/storage.admin'
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role (projects/my-project-id/roles/storage.admin) does not exist in the resource's hierarchy.
Clearly, I am failing to understand something about how a service account is supposed to get granted a role.
Upvotes: 1
Views: 4010
Answers (2)
Reputation: 81464
It is not clear what you are doing. Two important concepts. A service account can be both an identity and a resource. You are managing the service account as a resource in the screenshot. Your CLI command is managing the resource as an identity-granted role within a project.
Your CLI command specifies a custom role in the project. Did you create a custom role or are you trying to use an existing Google Cloud IAM role?
Most likely you want to do this:
gcloud projects add-iam-policy-binding my-project-id \
--member='serviceAccount:[email protected]' \
--role='roles/storage.admin'
Notice the difference in how the Role Name is specified.
Upvotes: 2
Reputation: 656
Once you already created the service account you can go to IAM Page to add the Storage Admin Role.
- Go to IAM Page
- Click Add
- Enter New Principals (Enter Service Account you created)
- Select Desired Role. (In your Case Storage Admin).
- Save
In case you still want to add role using Creating Service Account Pane, Don't search with Storage instead scroll down to All Roles > Hover Cloud Storage > Select Storage Admin.
You can also do what John Hanley mentioned using the Cloud Shell.
Upvotes: 10
Related Questions
- How can I add roles to service account in GCP?
- How to add a custom role to service account using gcloud
- GCP IAM: Binding role to Service Account fails
- GCP - Storage Service Account Access Issue
- GCloud Service Account cant access bucket even though he has role storage-object-admin
- How can I add a role to a GCP Service Account
- Granting full gcs bucket permissions to a GCP service account
- GCP: Security command center Admin Viewer role is not working
- Error when assigning the Storage Admin IAM role to my service account
- GCP cloud storage: 403-Forbidden while executing `Storage.BucketAccessControls.List` request