1

I am trying to get a service account set up in GCP so I can use

docker pull

from my personal shell as well as from Google Cloud Shell, where it works automagically.

I tried this:

gcloud projects add-iam-policy-binding myProject --member=serviceAccount:dockerdude --role=roles/container.admin

But I got this not-very-helpful error:

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (dockerdude).

I found the problem: this role isn't grantable ... I used the command

gcloud iam list-grantable-roles 
         //cloudresourcemanager.googleapis.com/projects/myProject

... and indeed the role container.admin isn't in the list.

My question: how do I make this role grantable? Or is there some other way to get what I'm looking for (docker pull permission from user shells as well as from Google Cloud Shell)?

Thanks much for any insight into this problem whatsoever!

Mark McWiggins
  • 621
  • 6
  • 20
  • 1
    What is **dockerdude**? The error message says **Invalid service account**. IAM members use the email address format. – John Hanley Apr 21 '22 at 17:26
  • The container.admin is grantable at the project level. However, the service account is in the bad format. https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles – guillaume blaquiere Apr 21 '22 at 20:17
  • I got it using the dockerdude@email syntax to get the service acccount hooked to the container.admin role. I guess it *was* grantable after all and I just missed it. Thanks. – Mark McWiggins Apr 23 '22 at 15:18
  • If you find my answer helpful for you or the community you could consider upvoting/accepting it. – Alex Apr 28 '22 at 22:45

1 Answers1

1

You can use this reference to write your command interactively, Granting a Single Role:

Note: If you want to identify a service account just after it is created, use the numeric ID rather than the email address to ensure that it is reliably identified.

gcloud iam service-accounts add-iam-policy-binding ServiceAccount_ID \
    --member=PRINCIPAL --role=ROLE_ID \
    --condition=CONDITION

Some missing parameters, but should be…

gcloud iam service-accounts add-iam-policy-binding my-service-account@my-project.iam.gserviceaccount.com \
    --member=serviceAccount:duckerdude@example.com --role=/roles/container.clusterAdmin

Also check this very good explanation of the service accounts as they can be described as an identity and a resource, check the full question to get more details:

You have to read the command like this

gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>

Additionally, read this question related to list-grantable-roles command:

They can also be listed:

gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID
Alex
  • 778
  • 1
  • 15