I Have a ServiceAccount that has permissions to do all sort of things on my GCP project, and a Jenkins pipeline that runs on nightly basis and shutdown one of my GKE environments.
Few days ago i've started noticing random failures on fetching credentials for the cluster, while running the same pipeline again works.
i have the following block of code:
gcloud auth activate-service-account --key-file=****
gcloud container clusters get-credentials integration-cluster --zone europe-west1-c --project integration-project
the thing is, on nights it failed i see the following error:
00:00:45 Activated service account credentials for: [jenkins-user@integration-project.iam.gserviceaccount.com]
00:00:46 Fetching cluster endpoint and auth data.
00:00:46 ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/integration-project/zones/europe-west1-c/clusters/integration-cluster".
like the serviceAccount if lack of permissions on the project, but nothing has changed and rerun works.
what can be the reason for this?
it looks like a bug but….where? i'm using now Google Cloud SDK 319.0.0.
10x
Best Answer
Error message
message=Required "container.clusters.get" permission(s)means that your service account doesn't havecontainer.clusters.getpermission.Accordingly to the documentation Understanding roles section Kubernetes Engine roles roles
roles/container.clusterViewerandroles/container.clusterAdmincontain this permission.To solve this issue you can grant to your service account role that contains permission
container.clusters.get. The least-privileged IAM role that provides this permission isroles/container.clusterViewer. For more details please have a look at the documentation Understanding service accounts section Granting access to service accounts.If your service account has all the required permissions you can file an issue report at Google Public Issue Tracker or reach Google Cloud Support.