Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create GKE Admin role permissions with current IAM Resource #381

Open
AaronME opened this issue Sep 25, 2021 · 8 comments
Open

Cannot create GKE Admin role permissions with current IAM Resource #381

AaronME opened this issue Sep 25, 2021 · 8 comments
Labels
enhancement New feature or request

Comments

@AaronME
Copy link

AaronME commented Sep 25, 2021

What problem are you facing?

When we attempt to grant a ServiceAccount resource GKE Cluster Admin, we see the following error:

        create failed: cannot set policy of CryptoKey: googleapi: Error 400:
        Role roles/container.clusterAdmin is not supported for this resource.,
        badRequest

It appears that this role can only be assigned as a binding on the Projects api, not as a policy on a ServiceAccount.

How could Crossplane help solve your problem?

Implement bindings on the projects API for GCP.
@AaronME AaronME added the enhancement New feature or request label Sep 25, 2021
@nielsdemoen
Copy link

I am getting this too, regardless of which role I try, everything fails with create failed: cannot set policy of CryptoKey: googleapi: Error 400

What am I doing wrong?

Sample SA and SAPolicy:

apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccount
metadata:
  name: cf-invoker-test
spec:
  deletionPolicy: Delete
  forProvider:
    description: Service account created by crossplane for cf-invoker-test
    displayName: cf-invoker-test
  providerConfigRef:
    name: gcp
---
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccountPolicy
metadata:
  name: cf-invoker-test
spec:
  deletionPolicy: Delete
  forProvider:
    policy:
      bindings:
      - role: roles/cloudfunctions.invoker
        serviceAccountMemberRefs:
          -  name: cf-invoker-test
    serviceAccountRef:
      name: cf-invoker-test
  providerConfigRef:
    name: gcp

Which causes:

Warning CannotCreateExternalResource 16s (x10 over 23s) managed/serviceaccountpolicy.iam.gcp.crossplane.io cannot set policy of CryptoKey: googleapi: Error 400: Role roles/cloudfunctions.invoker is not supported for this resource., badRequest

@AaronME
Copy link
Author

AaronME commented Oct 21, 2021

@nielsdemoen - the assignment of the role is part of the projects api. This has not yet been implemented in provider-gcp.

@CarpathianUA
Copy link

Any updates on when we expect bindings on the project's API for GCP to be implemented? Thanks in advance!

@Feggah
Copy link
Collaborator

Feggah commented Jul 11, 2022

Hey @CarpathianUA , you can use any resource that this provider doesn't have yet with provider-jet-gcp.

@CalinFlorescu
Copy link

@Feggah, I've tried your suggestion, and indeed version v.0.2.0-preview has implemented the resources required to add finely graded policies to Service Accounts. The only issue is that I can't fetch that version yet, since I get an Unauthorized error. We need to wait until it's publicly available.

@Feggah
Copy link
Collaborator

Feggah commented Aug 8, 2022

We need to wait until it's publicly available.

What do you mean by publicly available, @CalinFlorescu ?

I checked that there is an image with this tag on Docker Hub, you can see it here. Isn't it enough to pull the image when you create a Provider resource within your cluster?

@CalinFlorescu
Copy link

@Feggah, my apologies, I made a mistake when fetching the provider and thought that the fetch access is restricted, so my comment above isn't valid.

@roldyxoriginal
Copy link

@AaronME Do you have any idea what priority this issue has?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@AaronME @CarpathianUA @Feggah @CalinFlorescu @roldyxoriginal @nielsdemoen