stackoom
  简体   繁体   中英

gcloud iam service-accounts add-iam-policy-binding ... NOT_FOUND: Unknown service account

 原文  2021-12-16 19:38:03       gcloud/ google-iam

Question

I am creating a new service account and trying to assign it a role. The assigning part is failing to find the account I just created.

Why?

*[master][~]$ gcloud iam service-accounts add-iam-policy-binding some-project --member="serviceAccount:some-name@some-project.iam.gserviceaccount.com" --role="roles/secretmanager.secretAccessor"
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Unknown service account

*[master][~]$ gcloud iam service-accounts add-iam-policy-binding some-project --member="some-name@some-project.iam.gserviceaccount.com" --role="roles/secretmanager.secretAccessor"
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) NOT_FOUND: Unknown service account

*[master][~]$ gcloud iam service-accounts list                                                                                                                                                           
DISPLAY NAME                            EMAIL                                                     DISABLED
Compute Engine default service account  01234567890-compute@developer.gserviceaccount.com         False
App Engine default service account      some-project@appspot.gserviceaccount.com                  False
Some Name                               some-name@some-project.iam.gserviceaccount.com            False

Interestingly, the new account does not appear in IAM & Admin > Service Accounts in the portal, either. It still shows when I list them all from the CLI. Prrrfff...

2 answers

solution1
 1 ACCPTED  2021-12-16 21:48:32

I think you want gcloud projects not gcloud iam service-accounts

gcloud projects add-iam-policy-binding some-project \
--member=serviceAccount:some-name@some-project.iam.gserviceaccount.com \
--role=roles/secretmanager.secretAccessor

I have a snippet that is (from memory):

PROJECT="some-project"
ACCOUNT="some-name"

EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"

ROLES=(
  "secretmanager.secretAccessor"
)

gcloud iam service-accounts create ${ACCOUNT} \
--project=${PROJECT}

# Use sparingly
gcloud iam service-accounts keys create ${PWD}/${ACCOUNT}.json \
--project=${PROJECT}

for ROLE in ${ROLES[@]}
do
  gcloud projects add-iam-policy-binding ${PROJECT} \
  --member=serviceAccount:${EMAIL} \
  --role=roles/${ROLE}
done

solution2
 0  2022-07-20 21:18:37

Step 5 should do: 

gcloud iam service-accounts add-iam-policy-binding \
    user-sa-name@project-id.iam.gserviceaccount.com \
    --member=serviceAccount:service-agent-email \
    --role=roles/iam.serviceAccountTokenCreator

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question error in add-iam-policy-binding to ESP end point service GCloud gcloud confusion around add-iam-policy-binding suppress bindings output from gcloud projects add-iam-policy-binding command gcloud iam service-accounts keys create gives invalid jwt signature error What is the source of this error? ERROR: (gcloud.run.services.add-iam-policy-binding) NOT_FOUND: Requested entity was not found gcloud confusion about set/get IAM policy for a service account How can i set right iam policy in gcp with an service account How do I grant a specific permission to a Cloud IAM service account using the gcloud CLI? iam.serviceAccounts.getIamPolicy is required to perform this operation on service account GCP: Impersonate Service Account with python from local creds. IAM Service Account Credentials API disabled
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM