Dynamically created GKE deployments can't authenticate using SA

Question

I'm trying to enable Workload Identity in GKE and followed the entire linked how-to. I then went through the Troubleshooting guide and verified all my settings were correct. However when I dynamically create a deployment in my ruby code using kubeclient I keep getting PermissionDeniedError as follows:

/usr/lib/ruby/gems/3.1.0/gems/google-cloud-storage-1.43.0/lib/google/cloud/storage/service.rb:913:in 'rescue in execute': forbidden: openc3-sa@<PROJECTID>.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket. (Google::Cloud::PermissionDeniedError)

I've verified in the GCP IAM page that the openc3-sa@<PROJECTID>.iam.gserviceaccount.com does have the Storage Admin role which definitely has storage.buckets.get permissions. My original deployment uses the same default kubernetes service account and does have permission to access the buckets so it's something about the fact that I'm dynamically creating new deployments.

Answer 1

It turns out this was user error and the bucket I was trying to access was simply called 'config'. Since buckets have a global namespace I obviously do not have access to this bucket so the error was correct. HOWEVER, it would be nice if the bucket name was added to the error message to help with debugging. Something like:

forbidden: openc3-sa@<PROJECT ID>.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket named 'config'. (Google::Cloud::PermissionDeniedError)

With the bucket name I would have immediately found the issue. So if you're seeing permission denied errors, be sure you have the correct bucket name!