New GCP project setup doesn't give correct kms permissions

[mattcary]

31863 moved the pd csi driver to some new cluster and set of projects, however it was apparently never verified that those projects actually work to run the test.

The cluster service account is missing roles/cloudkms.cryptoKeyEncrypterDecrypter.

I think a change needs to be made to k8s.io/k8s.io/infra/gcp somewhere, but with the partial migration from bash to terraform I'm not sure what to change.

For now I'll revert the change that broke our e2e test; any suggestions on how to correctly set up the cluster service account in the terraform world are welcome!

[mattcary]

/sig testing

[ameukam]

Currently the test uses the default service account for GCE instead of a specific service account.

I0212 20:46:57.674362    7020 setup_e2e_test.go:94] Running in project k8s-infra-e2e-boskos-067 with service account 392769659984-compute@developer.gserviceaccount.com

The SA prow-build@ has the correct role https://github.com/kubernetes/k8s.io/pull/6414

@mattcary Can you make sure all the tests use the SA prow-build@ ?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

/remove-lifecycle stale

[BenTheElder]

Ah, we wound up doing: https://github.com/kubernetes/k8s.io/pull/6920 https://kubernetes.slack.com/archives/CCK68P2Q2/p1719354766854019

[BenTheElder]

This is working now :-)