google-cloud-platformgoogle-cloud-storageauthorizationgoogle-iamrole-base-authorization

Can't add Storage Admin role to GCP service account


I am looking at the IAM Service Accounts tab in the GCP control panel. I am editing a Service Account. I click "Grant Access," enter the email of the service account I am creating and attempt to add Storage Admin.

IAM Service Accounts tab

However, there is no such option in the list.

Cannot find 'Storage Admin' in list

Also, a seemingly equivalent attempt to do this via the CLI fails:

gcloud projects add-iam-policy-binding my-project-id \
  --member='serviceAccount:github-actions@my-project-id.iam.gserviceaccount.com' \
  --role='projects/my-project-id/roles/storage.admin'

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role (projects/my-project-id/roles/storage.admin) does not exist in the resource's hierarchy.

Clearly, I am failing to understand something about how a service account is supposed to get granted a role.


Solution

  • Once you already created the service account you can go to IAM Page to add the Storage Admin Role.

    1. Go to IAM Page
    2. Click Add
    3. Enter New Principals (Enter Service Account you created)
    4. Select Desired Role. (In your Case Storage Admin).
    5. Save

    In case you still want to add role using Creating Service Account Pane, Don't search with Storage instead scroll down to All Roles > Hover Cloud Storage > Select Storage Admin.

    You can also do what John Hanley mentioned using the Cloud Shell.