Reputation: 651
How to add GCP role to the grantable list?
I am trying to get a service account set up in GCP so I can use
docker pull
from my personal shell as well as from Google Cloud Shell, where it works automagically.
I tried this:
gcloud projects add-iam-policy-binding myProject --member=serviceAccount:dockerdude --role=roles/container.admin
But I got this not-very-helpful error:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (dockerdude).
I found the problem: this role isn't grantable ... I used the command
gcloud iam list-grantable-roles
//cloudresourcemanager.googleapis.com/projects/myProject
... and indeed the role container.admin isn't in the list.
My question: how do I make this role grantable? Or is there some other way to get what I'm looking for (docker pull permission from user shells as well as from Google Cloud Shell)?
Thanks much for any insight into this problem whatsoever!
Upvotes: 1
Views: 459
Answers (1)
Reputation: 854
You can use this reference to write your command interactively, Granting a Single Role:
Note: If you want to identify a service account just after it is created, use the numeric ID rather than the email address to ensure that it is reliably identified.
gcloud iam service-accounts add-iam-policy-binding ServiceAccount_ID \
--member=PRINCIPAL --role=ROLE_ID \
--condition=CONDITION
Some missing parameters, but should be…
gcloud iam service-accounts add-iam-policy-binding [email protected] \
--member=serviceAccount:[email protected] --role=/roles/container.clusterAdmin
Also check this very good explanation of the service accounts as they can be described as an identity and a resource, check the full question to get more details:
You have to read the command like this
gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>
Additionally, read this question related to list-grantable-roles command:
They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
Upvotes: 1
Related Questions
- How do I list the roles associated with a gcp service account?
- How to enable GCP service, I get a PERMISSION_DENIED
- Can't add Storage Admin role to GCP service account
- How can I add roles to service account in GCP?
- How to add a custom role to service account using gcloud
- Assigning role to Group in GCP causing Role does not exist in the resource's hierarchy
- How can I add a role to a GCP Service Account
- Google Cloud Platform (GCP): How to give additional roles to service account?
- in gcloud console iam how can I add roles to groups?
- How to add GCP IAM roles to Service Account