Trying to follow cert-manager link kubernetes service account to GCP service account I need to run this command:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[cert-manager/cert-manager]" \
dns01-solver@$PROJECT_ID.iam.gserviceaccount.com \
--project=$PROJECT_ID
but keep getting error:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) PERMISSION_DENIED:
Permission 'iam.serviceAccount.setIamPolicy' denied on
resource (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: iam.googleapis.com
metadata:
permission: iam.serviceAccount.setIamPolicy
reason: IAM_PERMISSION_DENIED
I have attached these permissions to the GCP service account (dns01-solver@$PROJECT_ID.iam.gserviceaccount.com):
DNS Administrator
Project IAM Admin
Service Account Token Creator
Service Account User
Workload Identity User
But I keep getting same error which.
Also the Kubernetes service account cert-manager does exist in namespace cert-manager as can be seen here:
This is it's describe output:
Just needed to add
roles/iam.serviceAccountAdminto my personal account which triggers the gcloud commands as specified here: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity