Controller is unable to provision certificates due to "Insufficient Permission"

GoogleCloudPlatform / gke-managed-certs

Managed Certificates for Kubernetes clusters using GCLB

Apache License 2.0

246 stars 32 forks source link

Controller is unable to provision certificates due to "Insufficient Permission" #14

Closed bmhatfield closed 5 years ago

bmhatfield commented 5 years ago

When describing the resource:

Warning  BackendError  13s (x36 over 20m)  managed-certificate-controller  googleapi: Error 403: Insufficient Permission: Request had insufficient authentication scopes., insufficientPermissions

I also added the Compute Load Balance Admin permission to the GKE service account as described here: https://github.com/GoogleCloudPlatform/gke-managed-certs/issues/7, but am still getting that error.

I'm not really sure what I'm missing here.

bmhatfield commented 5 years ago

I did some research which suggests that this controller is failing because the underlying instance doesn't have the needed scopes.

After learning that, I learned that scopes must be added at cluster creation time, and that they aren't the recommended way to configure service accounts.

What is the intention here? Can I create a real service account and pass it to this controller somehow? Do I have to recreate my cluster?

Is it possible to document this in the README.md?

Thank you!

bmhatfield commented 5 years ago

I was able to resolve this by copying managed-certificate-controller.yml and adding a volume mount with a service account JSON, and then setting GOOGLE_APPLICATION_CREDENTIALS.

env:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /var/run/secret/cloud.google.com/test-205-manged-certificates.json

bmhatfield commented 5 years ago

I recommend this be documented in the readme.

PS: that service account was granted access via a custom role I created that has the following permissions:

compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list

bmhatfield commented 5 years ago

You can find the code reference to this service account option via: https://github.com/GoogleCloudPlatform/gke-managed-certs/blob/v0.3.0/pkg/config/config.go#L146

mattysweeps commented 5 years ago

I could have sworn I got this to work by just following the readme, but trying a second time on a different cluster I had to follow these instructions

krzykwas commented 5 years ago

The README is now updated with instructions about setting permissions.