GCP IAM 权限 - 服务帐户无法获得权限
GCP IAM Permission - Service Account not able to have permission
为了实施从 github 到 gcp 的 CI 管道,我配置了工作负载身份。
SERVICE_ACCOUNT="xyz"
PROJECT_ID="ABC"
通过以下命令创建的服务帐户:
gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \
--description="${SERVICE_ACCOUNT}" \
--display-name="${SERVICE_ACCOUNT}"
通过以下命令添加了 principalSet:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_NAME}/attribute.repository/${ORG_NAME}/${REPOSITORY}"
到目前为止一切正常。
但是我想使用这个帐户来配置基础设施和部署应用程序。
所以我使用了以下命令:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
同样要添加更多角色。但是我有以下错误:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.clusterAdmin is not supported for this resource.
请问如何获取权限?
将 IAM 策略添加到项目而不是服务帐户。
gcloud iam projects add-iam-policy-binding "${PROJECT_ID} \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
为了实施从 github 到 gcp 的 CI 管道,我配置了工作负载身份。
SERVICE_ACCOUNT="xyz"
PROJECT_ID="ABC"
通过以下命令创建的服务帐户:
gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \
--description="${SERVICE_ACCOUNT}" \
--display-name="${SERVICE_ACCOUNT}"
通过以下命令添加了 principalSet:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_NAME}/attribute.repository/${ORG_NAME}/${REPOSITORY}"
到目前为止一切正常。
但是我想使用这个帐户来配置基础设施和部署应用程序。
所以我使用了以下命令:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
同样要添加更多角色。但是我有以下错误:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.clusterAdmin is not supported for this resource.
请问如何获取权限?
将 IAM 策略添加到项目而不是服务帐户。
gcloud iam projects add-iam-policy-binding "${PROJECT_ID} \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"