Open Prudhvi0717 opened 1 week ago
Hey @edwardmedia why do we need to provided project level IAM binding to the workload identities.
Why cant we just provided necessary access to a service account and create a iam binding to that sa
locals {
ksas = ["spark-executor", "spark-driver", "agent"]
workload_identity_role = "roles/iam.workloadIdentityUser"
workload_member = "serviceAccount:${var.project}.svc.id.goog"
}
/* creating workload identity mapping for service account and ksa's.
By default dataproc uses compute engine default service account. */
resource "google_service_account_iam_member" "gcp_sa_iam_member" {
count = length(local.ksas)
service_account_id = var.service_account_id
role = local.workload_identity_role
member = "${local.workload_member}[${var.cluster_name}/${local.ksas[count.index]}]"
}
resource "google_dataproc_cluster" "cluster" {
name = var.cluster_name
region = var.region
graceful_decommission_timeout = "120s"
virtual_cluster_config {
staging_bucket = var.staging_bucket
kubernetes_cluster_config {
kubernetes_namespace = var.cluster_name
kubernetes_software_config {
component_version = {
"SPARK" : var.spark_version
}
}
gke_cluster_config {
gke_cluster_target = var.kube_cluster_id
node_pool_target {
node_pool = var.default_node_pool.node_pool_name
roles = var.default_node_pool.roles
dynamic "node_pool_config" {
for_each = var.default_node_pool.reuse_existing ? [] : [1]
content {
locations = var.node_locations
autoscaling {
min_node_count = var.default_node_pool.min_node_count
max_node_count = var.default_node_pool.max_node_count
}
config {
machine_type = var.default_node_pool.machine_type
preemptible = var.default_node_pool.preemptible
local_ssd_count = var.default_node_pool.local_ssd_count
}
}
}
}
node_pool_target {
node_pool = var.worker_node_pool.node_pool_name
roles = var.worker_node_pool.roles
dynamic "node_pool_config" {
for_each = var.worker_node_pool.reuse_existing ? [] : [1]
content {
locations = var.node_locations
autoscaling {
min_node_count = var.worker_node_pool.min_node_count
max_node_count = var.worker_node_pool.max_node_count
}
config {
machine_type = var.worker_node_pool.machine_type
preemptible = var.worker_node_pool.preemptible
# spot = var.worker_node_pool.preemptible
local_ssd_count = var.worker_node_pool.local_ssd_count
}
}
}
}
}
}
}
}
If I provide workload identity bindings to a service account with all required permissions other than compute engine default service account. I am getting following errror:
{"severity":"error","ts":"2024-06-23T08:48:04.915Z","logger":"setup","caller":"log/deleg.go:144","message":"could not initialize control client",
"error":"registering agent: registering agent: rpc error: code = Unauthenticated desc = transport: compute: Received 403 `Unable to generate access token; IAM returned 403 Forbidden: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).
This error could be caused by a missing IAM policy binding on the target IAM service account.\nFor more information, refer to the Workload Identity documentation:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to\n\n`","stacktrace":"sigs.k8s.io/controller-runtime/pkg/log.(*DelegatingLogger).Error\n\tsigs.k8s.io/controller-runtime@v0.9.2/pkg/log/deleg.go:144\nmain.main\n\tdataproc.googleapis.com/dpk8s/agent/cmd/agent/agent.go:35\nruntime.main\n\truntime/proc.go:250"}
Hi @Prudhvi0717!
Please answer the next questions:
@edwardmedia regarding your previous reply in another #13714
Ref to this code you posted
Originally posted by @edwardmedia in https://github.com/hashicorp/terraform-provider-google/issues/13714#issuecomment-1435760962