2

I'm having an issue with a Service Account which has Role attached to it called Preemptible Killer.

The role is bound to this service account, I even gave it "Editor" access for debugging purposes.

I have a single project and I double-checked that the names are correct.

I'm having an issue when I get a 403 when hitting the delete instance API. If I go to the Policy Troubleshooter I can see that in theory, it has the right amount of access.

Access granted for API call for preemptible-killer@{project}.iam.gserviceaccount.com, compute.instances.delete, instances/{instance}.

However, when it gets called from my K8s cluster node I get a 403. Here are the unexpected 403, service account and roles screenshots. I'm definitely missing something I just don't know what.

Failed permission denied

This is the role:

Role

This is the custom role + editor roles attached to the Service Account.

enter image description here

❯ gcloud projects get-iam-policy {project}
bindings:
- members:
  - serviceAccount:preemptible-killer@{project}.iam.gserviceaccount.com
  role: projects/{project}/roles/preemptible_killer
- members:
  - serviceAccount:preemptible-killer@{project}.iam.gserviceaccount.com
  role: roles/editor
donzul
  • 405
  • 1
  • 4
  • 13
  • What happens if you authenticate using gcloud as your service account and then try and run a gcloud command to delete an instance. Does it work? Ideally, try it from inside a container inside a pod inside GKE but, if not, the Cloud Console will still be a starting test. – Kolban Dec 09 '19 at 15:01
  • @Kolban Just tried your suggestion. I tried to delete an instance using gcloud authenticating as the service account from my local machine. I get the same error. I'm not sure what I'm missing, it seems to me that the role is assigned, etc. I'm definitely missing something. – donzul Dec 09 '19 at 15:20
  • This is good as it eliminates many spurious possibilities. Let's now look at your current policies ... read the following and start posting your dumped policies for your project. https://stackoverflow.com/questions/47006062/how-do-i-list-the-roles-associated-with-a-gcp-service-account – Kolban Dec 09 '19 at 15:27
  • I redacted other roles since I don't believe we need them but here is what I see for the one we are looking for. Added them to the main question as an Edit. – donzul Dec 09 '19 at 15:53
  • Did you activate the workload identity on your cluster? – guillaume blaquiere Dec 09 '19 at 16:48
  • No, but if I'm trying it directly from gcloud outside of my cluster, would I still need to activate workload identities? – donzul Dec 09 '19 at 17:00

2 Answers2

0

I end up creating another Service Account with the exact same role attached and it works, literally a clone.

Honestly not sure if this a GCP bug or I missed something.

donzul
  • 405
  • 1
  • 4
  • 13
0

If you deleted the SA and then recreated it with the same name but didn't make any changes in IAM, please keep in mind that in the backend of GCP, this is a completely different SA even though the name is exactly the same. Just FYI!

Kibuk
  • 46
  • 3