search

github / docs

The open-source repo for docs.github.com
https://docs.github.com
Creative Commons Attribution 4.0 International
16.1k stars 59.27k forks source link

Deploying to Google Kubernetes Engine specifies incorrect add-iam-policy-binding command #9401

Closed jmhodges closed 2 years ago

jmhodges commented 3 years ago

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/guides/deploying-to-google-kubernetes-engine

What part(s) of the article would you like to see updated?

The section "Configuring a service account and storing its credentials" has this call documented:

 gcloud projects add-iam-policy-binding $GKE_PROJECT \
  --member=serviceAccount:$SA_EMAIL \
  --role=roles/container.admin \
  --role=roles/storage.admin \
  --role=roles/container.clusterViewer

But it seems that add-iam-policy-binding can only take one --role argument at a time.

For instance, this will cause a failure during docker push:

denied: Token exchange failed for project '***'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

The example given is otherwise able to correctly auth with gcloud, configure docker, and get credentials for the GKE cluster, but then fails to push to gcr.io.

Looking through the output of add-iam-policy-binding, the new service account is only listed in the role: roles/container.clusterViewer section.

It seems that whatever the last --role given to add-iam-policy-binding is the role that will actually be applied to the binding without an error.

Additional information

No response

welcome[bot] commented 3 years ago

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

ramyaparimi commented 3 years ago

@jmhodges Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

skedwards88 commented 2 years ago

Thanks for opening this issue and including so many relevant details! You or anyone else is welcome to open a PR to address this.

For the contributor who addresses this issue, it sounds like the fix is to make an add-iam-policy-binding call for each role: https://github.com/cloudfoundry/bosh-google-cpi-release/issues/142#issuecomment-486732247

jmhodges commented 2 years ago

I didn't get a notification that this was marked as stale. But this is still a live doc bug

ramyaparimi commented 2 years ago

@jmhodges Sorry about that! The stale bot is a little wonky sometimes. I am reopening it now 💛

cmwilson21 commented 2 years ago

It looks like this one has been fixed. I'm closing the issue now.