I created a specific service account in GCP for provisioning clusters in my project :
gcloud iam service-accounts create [sa_name]
gcloud projects add-iam-policy-binding \
[project_id] \
--role=roles/container.admin \
--member=serviceAccount:[sa_name]@[project_id].iam.gserviceaccount.com
gcloud iam service-accounts keys create [keyfile_name] \
--iam-account=[sa_name]@[project_id].iam.gserviceaccount.com
gcloud auth activate-service-account --key-file=[keyfile_name]
When I run the command gcloud container clusters create [cluster_name]
I always get :
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Required "container.clusters.create" permission(s) for "projects/context-platform-staging". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
As you can see, I use roles/container.admin but I even tried to apply the roles/editor and roles/owner to this service account, same behavior.
The only way this command works so far is to use my main google owner account (not a service account).
What am I missing here ?
From the error message, I understood that the service account does not have the permission "container.clusters.create".
Please add the "Container Engine Cluster Admin" and also "Container Engine Admin" roles on the service account that the cluster is being created with:.
To create a cluster, you need both "container.clusters.create" permission on the project. You also need to assign the role “roles/iam.serviceAccountUser” to the user who will use the service account. In this way, the user can access GKE's service account.
For more information and in-depth tutorial, please refer to this article in the GCP documentation.