In order to implement CI pipeline from github to gcp, I have configured workload identity.
SERVICE_ACCOUNT="xyz"
PROJECT_ID="ABC"
Service account created by the command:
gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \
--description="${SERVICE_ACCOUNT}" \
--display-name="${SERVICE_ACCOUNT}"
Added principalSet by the following command:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_NAME}/attribute.repository/${ORG_NAME}/${REPOSITORY}"
Upto this point was working fine.
But using this account I want to provision infrastructure and deploy applications as well.
So I have used following command:
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"
Likewise some more roles to be added. But I have following error:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.clusterAdmin is not supported for this resource.
Any feedback how to obtain the rights?
Add the IAM policy to the project and not to the service account.
gcloud iam projects add-iam-policy-binding "${PROJECT_ID} \
--member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role "roles/container.clusterAdmin"