4

I have created a ServiceAccount and a custom role from the GCP console.

However when trying to associate them, it fails as below:

gcloud projects add-iam-policy-binding my-project \
  --member serviceAccount:cloudrun-poc@my-project.iam.gserviceaccount.com \
  --role roles/MyCustomRole
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/ClusterUpscaler is not supported for this resource.

any ideas why?

pkaramol
  • 16,451
  • 43
  • 149
  • 324

2 Answers2

6

You might have to create role MyCustomRole before attempting to assign it. No clue what it complains about role ClusterUpscaler, but there might not be a cluster present in that project... besides custom roles usually have names alike projects/{project-id}/roles/{role-name}. They can also be listed:

gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • `ClusterUpscaler` is a custom role with just this permission: `container.clusters.update`. I am trying to create a CloudRun service that should be able to invoke the `gcloud container clusters update` command. Any other suggestions are more than welcome – pkaramol Sep 24 '19 at 18:58
  • btw the role is listed when I use the command you posted above – pkaramol Sep 24 '19 at 19:06
  • 2
    @pkaramol custom roles are always per project, you might need to fully qualified name to assign it (opposite to the pre-defined roles, which are available globally). – Martin Zeitler Sep 24 '19 at 19:08
  • wow! that was it! it just needed the fq role name! such a misleading error message...anyway I suggest you update your answer accordingly so that I accept it. – pkaramol Sep 24 '19 at 19:23
0

You could run gcloud alpha iam policies lint-condition as the output suggests. For me, it was a missing gcloud command "Alpha".

Kuzz
  • 1
  • 4