What service account is my GKE cluster using to access GCR

2/20/2019

I have several Google Kubernetes Engine clusters under one GCP project.

I'm trying to understand which service account GKE is using in order to create pods, and specifically, I was facing some permission denied error when trying to read from a Google Container Repository under the same project.

Looking in GCP IAM & Admin page I see several accounts that I'm not sure of their purpose:

XXX-compute@developer.gserviceaccount.com - Compute Engine default service account
XXX@cloudbuild.gserviceaccount.com  
XXX@cloudservices.gserviceaccount.com - Google APIs Service Agent   
service-XXX@compute-system.iam.gserviceaccount.com  Compute Engine Service Agent    
service-XXX@container-engine-robot.iam.gserviceaccount.com - Kubernetes Engine Service Agent    
service-XXX@containerregistry.iam.gserviceaccount.com - Google Container Registry Service Agent     
service-XXX@dlp-api.iam.gserviceaccount.com 
service-XXX@gcf-admin-robot.iam.gserviceaccount.com - Google Cloud Functions Service Agent  
PPP@appspot.gserviceaccount.com - App Engine default service account    

Some got more info link to them, but none of them have any actual hint as to being used by GKE deployment.

-- Mugen
google-cloud-platform
google-compute-engine
google-container-registry
google-iam
google-kubernetes-engine

2 Answers

2/20/2019

Each GKE node has an IAM Service Account associated with it. By default, nodes are given the Compute Engine default service account, which you can find by navigating to the IAM section of the Cloud Console.

If you are using the non default Compute Engine service account you probably will need to grant the service account roles/storage.objectViewer role in the project. Check this link for more information.

-- Eduardo Ruela
Source: StackOverflow

2/20/2019

For GKE you will have an account ending like this "container-engine-robot.iam.gserviceaccount.com" if you have any issue (that could be related with some changes over the API) you can remove the default accounts for GCE and GKE (Under "Name" you will see the details and which belongs to each resource) and re enable the service using the gcloud command to re-create your default service accounts, if not just assign the "Editor" role and try again.

-- Luke
Source: StackOverflow