17

I attempting to use an activated service account scoped to create and delete gcloud container clusters (k8s clusters), using the following commands:

gcloud config configurations create my-svc-account \
   --no-activate \
   --project myProject


gcloud auth activate-service-account my-svc-account@my-project.iam.gserviceaccount.com \
   --key-file=/path/to/keyfile.json \
   --configuration my-svc-account

gcloud container clusters create a-new-cluster \
   --configuration my-svc-account \
   --project= my-project
   --zone "my-zone"

I always receive the error:

...ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".

How do I grant my-svc-account access to the default service account for GKE?

Chris Stryczynski
  • 30,145
  • 48
  • 175
  • 286
DrMarshall
  • 1,034
  • 2
  • 9
  • 14
  • Note that `gcloud config configurations create my-svc-account --no-activate --project myproject` does not set project in created configuration. In fact --project does not do anything. – cherba Nov 02 '16 at 12:41

6 Answers6

35

After talking to Google Support, the issue was that the service account did not have a "Service Account User" permissions activated. Adding "Service Account User" resolves this error.

crizCraig
  • 8,487
  • 6
  • 54
  • 53
DrMarshall
  • 1,034
  • 2
  • 9
  • 14
14

Add the following role to the service account who makes the operation:

Service Account User

Also see:

Eyal Levin
  • 16,271
  • 6
  • 66
  • 56
1

For those that ended up here trying to do an Import of Firebase Firestore documents with a command such as:

gcloud beta firestore import --collection-ids='collectionA','collectionB' gs://YOUR_BUCKET

I got around the issue by doing the following:

  1. From the Google Cloud Console Storage Bucket Browser, add the service account completing the operation to the list of members with a role of Storage Admin.
  2. Re-attempt the operation.

For security, I revoked the role after the operation completed, but that's optional.

HondaGuy
  • 1,251
  • 12
  • 29
1

iam.serviceAccounts.actAs is the exact permission you need from Service Account User

Sar009
  • 2,166
  • 5
  • 29
  • 48
1

I was getting the The user does not have access to service account... error even though I added the Service Account User role as others have suggested. What I was missing was the organization policy that prevented service account impersonation across projects. This is explained in the docs: https://cloud.google.com/iam/docs/impersonating-service-accounts#enabling-cross-project

asherbret
  • 5,439
  • 4
  • 38
  • 58
  • FYI: I was not able to "see" this policy in the UI at https://console.cloud.google.com/iam-admin/orgpolicies/list but according to https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#cross-project_set_up it is enabled by default ("In the project that has your user-specified service account, ensure that the iam.disableCrossProjectServiceAccountUsage organization policy constraint is not enforced. This constraint is enforced by default.") – Hirnhamster Feb 16 '23 at 09:14
  • Follow-Up: I was able to see it in the UI when selecting the affected project (previously I had the organization selected as project). To disable it, I needed the role "Organization Policy Administrator" and it can be disabled "per project" (so not for the whole org) via `https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableCrossProjectServiceAccountUsage/edit?project=$home-project-of-service-account` After a couple of minutes the change became effective and the (misleading) error went away – Hirnhamster Feb 16 '23 at 09:34
0

Added Service Account User role to service account and it worked for me.

suresh
  • 1