I have several Google Kubernetes Engine clusters under one GCP project.
I'm trying to understand which service account GKE is using in order to create pods, and specifically, I was facing some permission denied error when trying to read from a Google Container Repository under the same project.
Looking in GCP IAM & Admin page I see several accounts that I'm not sure of their purpose:
XXX-compute@developer.gserviceaccount.com - Compute Engine default service account
XXX@cloudbuild.gserviceaccount.com
XXX@cloudservices.gserviceaccount.com - Google APIs Service Agent
service-XXX@compute-system.iam.gserviceaccount.com Compute Engine Service Agent
service-XXX@container-engine-robot.iam.gserviceaccount.com - Kubernetes Engine Service Agent
service-XXX@containerregistry.iam.gserviceaccount.com - Google Container Registry Service Agent
service-XXX@dlp-api.iam.gserviceaccount.com
service-XXX@gcf-admin-robot.iam.gserviceaccount.com - Google Cloud Functions Service Agent
PPP@appspot.gserviceaccount.com - App Engine default service account Some got more info link to them, but none of them have any actual hint as to being used by GKE deployment.
Each GKE node has an IAM Service Account associated with it. By default, nodes are given the Compute Engine default service account, which you can find by navigating to the IAM section of the Cloud Console.
If you are using the non default Compute Engine service account you probably will need to grant the service account roles/storage.objectViewer role in the project. Check this link for more information.
For GKE you will have an account ending like this "container-engine-robot.iam.gserviceaccount.com" if you have any issue (that could be related with some changes over the API) you can remove the default accounts for GCE and GKE (Under "Name" you will see the details and which belongs to each resource) and re enable the service using the gcloud command to re-create your default service accounts, if not just assign the "Editor" role and try again.