I am creating a new service account and trying to assign it a role. The assigning part is failing to find the account I just created.
Why?
*[master][~]$ gcloud iam service-accounts add-iam-policy-binding some-project --member="serviceAccount:some-name@some-project.iam.gserviceaccount.com" --role="roles/secretmanager.secretAccessor"
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Unknown service account
*[master][~]$ gcloud iam service-accounts add-iam-policy-binding some-project --member="some-name@some-project.iam.gserviceaccount.com" --role="roles/secretmanager.secretAccessor"
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Unknown service account
*[master][~]$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
Compute Engine default service account 01234567890-compute@developer.gserviceaccount.com False
App Engine default service account some-project@appspot.gserviceaccount.com False
Some Name some-name@some-project.iam.gserviceaccount.com False
Interestingly, the new account does not appear in IAM & Admin > Service Accounts in the portal, either. It still shows when I list them all from the CLI. Prrrfff...
I think you want gcloud projects
not gcloud iam service-accounts
gcloud projects add-iam-policy-binding some-project \
--member=serviceAccount:some-name@some-project.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor
I have a snippet that is (from memory):
PROJECT="some-project"
ACCOUNT="some-name"
EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"
ROLES=(
"secretmanager.secretAccessor"
)
gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}
# Use sparingly
gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
--project=${PROJECT}
for ROLE in ${ROLES[@]}
do
gcloud projects add-iam-policy-binding ${PROJECT} \
--member=serviceAccount:${EMAIL} \
--role=roles/${ROLE}
done
Step 5 should do:
gcloud iam service-accounts add-iam-policy-binding \
user-sa-name@project-id.iam.gserviceaccount.com \
--member=serviceAccount:service-agent-email \
--role=roles/iam.serviceAccountTokenCreator
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.