gcloud console can't view gke resources

Question

I'm testing permissions on GCP on new project, I've created a user and gave basic storage.objects.get and storage.objects.list permissions and all work, but when I moved to GKE it stopped no matter how many permissions (container.clusters.* or container.pods.* or the role Kubernetes Engine Cluster Viewer he can't view the resources with the error message

Can't access project settings for project <my_project> on service container.googleapis.com [view=CONSUMER_VIEW].

any thoughts what might be the issue ?

I also enabled the API services

gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable serviceusage.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable sql-component.googleapis.com

anyone see anything basic I'm missing ?

Answer 1

See the pre-defined GKE roles; while you might be lacking another role/permission (on the project itself, instead of GKE). It is impossible to tell without even knowing which command you've ran.

I'd suggest to enable troubleshooting:

gcloud services enable policytroubleshooter.googleapis.com --project=project-id
gcloud config set project project-id
gcloud policy-troubleshoot iam resource --principal-email=email --permission=permission
gcloud policy-troubleshoot iam //cloudresourcemanager.googleapis.com/projects/my-project --permission=resourcemanager.projects.getIamPolicy --principal-email=foo@example.com

This should provide an accurate insight what is going wrong and why

(some of the dummy arguments obviously require substitution).