Search code examples
google-kubernetes-enginegoogle-iamworkload-identity

no matches for kind "IAMPolicy" in version "iam.cnrm.cloud.google.com/v1beta1"

I want to access the service account using workload identity.

cat serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  name: rao-sa
  namespace: test

my yaml file is policy.yaml

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: iampolicy-workload-identity-sample
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: serviceaccount_key@PROJECT_ID.iam.gserviceaccount.com
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:PROJECT_ID.svc.id.goog[test/rao-sa]

kubectl apply -f policy.yaml
error: unable to recognize "policy.yaml": no matches for kind "IAMPolicy" in version "iam.cnrm.cloud.google.com/v1beta1"

getting error on YAML file: no matches for kind "IAMPolicy" in version "iam.cnrm.cloud.google.com/v1beta1"

Solution

  • This is a common mistake when one did not install config connector, check step 7.

    How to enable?

    gcloud container clusters update CLUSTER_NAME \
    --update-addons ConfigConnector=ENABLED