Search code examples
google-cloud-platformgcloudroles

How to add GCP role to the grantable list?

I am trying to get a service account set up in GCP so I can use

docker pull

from my personal shell as well as from Google Cloud Shell, where it works automagically.

I tried this:

gcloud projects add-iam-policy-binding myProject --member=serviceAccount:dockerdude --role=roles/container.admin

But I got this not-very-helpful error:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (dockerdude).

I found the problem: this role isn't grantable ... I used the command

gcloud iam list-grantable-roles 
         //cloudresourcemanager.googleapis.com/projects/myProject

... and indeed the role container.admin isn't in the list.

My question: how do I make this role grantable? Or is there some other way to get what I'm looking for (docker pull permission from user shells as well as from Google Cloud Shell)?

Thanks much for any insight into this problem whatsoever!

Solution

  • You can use this reference to write your command interactively, Granting a Single Role:

    Note: If you want to identify a service account just after it is created, use the numeric ID rather than the email address to ensure that it is reliably identified.

    gcloud iam service-accounts add-iam-policy-binding ServiceAccount_ID \
    --member=PRINCIPAL --role=ROLE_ID \
    --condition=CONDITION

    Some missing parameters, but should be…

    gcloud iam service-accounts add-iam-policy-binding [email protected] \
    --member=serviceAccount:[email protected] --role=/roles/container.clusterAdmin

    Also check this very good explanation of the service accounts as they can be described as an identity and a resource, check the full question to get more details:

    You have to read the command like this

    gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

    Additionally, read this question related to list-grantable-roles command:

    They can also be listed:

    gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID