rerunning a clean org kcc+lz install fails on missing yakima SA serviceUsageConsumer role - code removed for OCI only option

[obriensystems]

review 0.7.0 issue in dec https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/752

see fix https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#continue-kpt-fn-render-after-failed-services-fixed Describe the bug core-landing-zone deployment fails without the yakima service account permissions

kubectl get gcp
kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa

  Warning  UpdateFailed  36s (x12 over 12m)  iamserviceaccount-controller  Update call failed: error applying desired state: summary: Error creating service account: googleapi: Error 403: Caller does not have required permission to use project kcc-oi2-cluster. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=kcc-oi2-cluster and then retry. Propagation of the new permission may take a few minutes

see removal of the following from setup-kcc.sh

gcloud projects add-iam-policy-binding "kcc-oi-3552" --member "serviceAccount:service-850340197245@gcp-sa-yakima.iam.gserviceaccount.com" --role "roles/serviceusage.serviceUsageConsumer" --project "kcc-oi-3552" --quiet

in

EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')

# Adding logging admin role binding
gcloud organizations add-iam-policy-binding "${ORG_ID}" --member "user:${EMAIL}" --role roles/logging.admin

# Update the logging for region
gcloud alpha logging settings update --organization="$ORG_ID" --storage-location="$REGION"

actually the change is here - mid Sept https://github.com/ssc-spc-ccoe-cei/gcp-tools/commit/941d542e5024144b541136e19700b50cd8eaf895

[obriensystems]

editupdate: found them in the new 2nd script https://github.com/ssc-spc-ccoe-cei/gcp-tools/blob/main/scripts/bootstrap/configure-kcc-access.sh#L35

Issue is that the access script assumes rootsync usage - it leaves out the kpt option I recommend we put the yakima service account role additions back to the generic setup script.

[obriensystems]

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#continue-kpt-fn-render-after-failed-services-fixed

working

  export SA_EMAIL="$(kubectl get ConfigConnectorContext -n config-control -o jsonpath='{.items[0].spec.googleServiceAccount}' 2> /dev/null)"
  echo "post GKE cluster create - applying 2 roles to org: ${ORG_ID} and project: ${KCC_PROJECT_ID} on the yakima gke service account to prep for kpt deployment: $SA_EMAIL"
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/resourcemanager.organizationAdmin --condition=None --quiet  > /dev/null 1>&1
  gcloud projects add-iam-policy-binding "${KCC_PROJECT_ID}" --member "serviceAccount:${SA_EMAIL}" --role "roles/serviceusage.serviceUsageConsumer" --project "${KCC_PROJECT_ID}" --quiet  > /dev/null 1>&1
  # need service account admin for kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa
  # Warning  UpdateFailed  36s (x9 over 6m44s)  iamserviceaccount-controller  Update call failed: error applying desired state: summary: Error creating service account: googleapi: Error 403: Permission 'iam.serviceAccounts.create' denied on resource (or it may not exist).
  ##roles/iam.serviceAccountCreator
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.organizationRoleAdmin --condition=None --quiet > /dev/null 1>&1
  gcloud organizations add-iam-policy-binding "${ORG_ID}" --member="serviceAccount:${SA_EMAIL}" --role=roles/iam.serviceAccountAdmin --condition=None --quiet > /dev/null 1>&1

[obriensystems]

we are good for this particular issue

michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$ kubectl describe iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa
Name:         projects-sa
Namespace:    config-control
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              cnrm.cloud.google.com/ignore-clusterless: true
              cnrm.cloud.google.com/management-conflict-prevention-policy: none
              cnrm.cloud.google.com/project-id: kcc-cso-4380
              cnrm.cloud.google.com/state-into-spec: merge
              config.k8s.io/owning-inventory: e256e817e339239ce3260191edccdadd4500ac6b-1706639826670141102
              internal.kpt.dev/upstream-identifier: iam.cnrm.cloud.google.com|IAMServiceAccount|config-control|projects-sa
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMServiceAccount
Metadata:
  Creation Timestamp:  2024-01-30T18:37:28Z
  Finalizers:
    cnrm.cloud.google.com/finalizer
    cnrm.cloud.google.com/deletion-defender
  Generation:        2
  Resource Version:  3440011
  UID:               f6d4da3e-3989-4cbb-ab75-f71f14a94b15
Spec:
  Display Name:  projects-sa
  Resource ID:   projects-sa
Status:
  Conditions:
    Last Transition Time:  2024-01-30T18:37:31Z
    Message:               The resource is up to date
    Reason:                UpToDate
    Status:                True
    Type:                  Ready
  Email:                   projects-sa@kcc-cso-4380.iam.gserviceaccount.com
  Member:                  serviceAccount:projects-sa@kcc-cso-4380.iam.gserviceaccount.com
  Name:                    projects/kcc-cso-4380/serviceAccounts/projects-sa@kcc-cso-4380.iam.gserviceaccount.com
  Observed Generation:     2
  Unique Id:               113033115432347904602
Events:                    <none>
michael@cloudshell:~/kcc-cso/kpt (kcc-cso-4380)$