search

crossplane-contrib / provider-gcp

Crossplane GCP provider
Apache License 2.0
127 stars 101 forks source link

Cannot create GKE Admin role permissions with current IAM Resource #381

Open AaronME opened 3 years ago

AaronME commented 3 years ago

What problem are you facing?

When we attempt to grant a ServiceAccount resource GKE Cluster Admin, we see the following error:

        create failed: cannot set policy of CryptoKey: googleapi: Error 400:
        Role roles/container.clusterAdmin is not supported for this resource.,
        badRequest

It appears that this role can only be assigned as a binding on the Projects api, not as a policy on a ServiceAccount.

How could Crossplane help solve your problem?

Implement bindings on the projects API for GCP.

nielsdemoen commented 3 years ago

I am getting this too, regardless of which role I try, everything fails with create failed: cannot set policy of CryptoKey: googleapi: Error 400

What am I doing wrong?

Sample SA and SAPolicy:

apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccount
metadata:
  name: cf-invoker-test
spec:
  deletionPolicy: Delete
  forProvider:
    description: Service account created by crossplane for cf-invoker-test
    displayName: cf-invoker-test
  providerConfigRef:
    name: gcp
---
apiVersion: iam.gcp.crossplane.io/v1alpha1
kind: ServiceAccountPolicy
metadata:
  name: cf-invoker-test
spec:
  deletionPolicy: Delete
  forProvider:
    policy:
      bindings:
      - role: roles/cloudfunctions.invoker
        serviceAccountMemberRefs:
          -  name: cf-invoker-test
    serviceAccountRef:
      name: cf-invoker-test
  providerConfigRef:
    name: gcp

Which causes:

Warning CannotCreateExternalResource 16s (x10 over 23s) managed/serviceaccountpolicy.iam.gcp.crossplane.io cannot set policy of CryptoKey: googleapi: Error 400: Role roles/cloudfunctions.invoker is not supported for this resource., badRequest

AaronME commented 3 years ago

@nielsdemoen - the assignment of the role is part of the projects api. This has not yet been implemented in provider-gcp.

CarpathianUA commented 2 years ago

Any updates on when we expect bindings on the project's API for GCP to be implemented? Thanks in advance!

Feggah commented 2 years ago

Hey @CarpathianUA , you can use any resource that this provider doesn't have yet with provider-jet-gcp.

CalinFlorescu commented 2 years ago

@Feggah, I've tried your suggestion, and indeed version v.0.2.0-preview has implemented the resources required to add finely graded policies to Service Accounts. The only issue is that I can't fetch that version yet, since I get an Unauthorized error. We need to wait until it's publicly available.

Feggah commented 2 years ago

We need to wait until it's publicly available.

What do you mean by publicly available, @CalinFlorescu ?

I checked that there is an image with this tag on Docker Hub, you can see it here. Isn't it enough to pull the image when you create a Provider resource within your cluster?

CalinFlorescu commented 2 years ago

@Feggah, my apologies, I made a mistake when fetching the provider and thought that the fetch access is restricted, so my comment above isn't valid.

roldyxoriginal commented 2 years ago

@AaronME Do you have any idea what priority this issue has?