k8s.io icon indicating copy to clipboard operation
k8s.io copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Unable to run terraform due to lack of permissions on custom roles

Open cblecker opened this issue 10 months ago • 5 comments

As a member of [email protected], according to https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/terraform/README.md I should be able to run terraform against the k8s-infra-prow-build-trusted project.

However, when I attempt to do so I get the following error:

│ Error: Error when reading or editing Error reading IAM Role organizations/758905017065/roles/iam.serviceAccountLister: googleapi: Error 403: You don't have permission to get the role at organizations/758905017065/roles/iam.serviceAccountLister.

It looks like because this custom role is associated with resources, but I don't have permissions to iam.roles.get it at the org level, I can't run terraform. Adding myself to org admin (https://github.com/kubernetes/k8s.io/pull/6671) allowed me to do the action. It sounds like we need to either A) discontinue use of this custom role, or B) allow permissions for folks that will be running terraform to iam.roles.get details of that role

cblecker avatar Apr 08 '24 18:04 cblecker

cc @ameukam @upodroid @dims @BenTheElder

cblecker avatar Apr 08 '24 18:04 cblecker

The IAM roles magic is somewhat impenetrable and causing other issues like https://github.com/kubernetes/k8s.io/issues/4981

Unfortunately I don't think anyone is terribly familiar with this OR has the bandwidth to replace it (versus continuing to migrate everything to community accounts so we can all sort this out together later ...)

BenTheElder avatar Apr 18 '24 02:04 BenTheElder

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 17 '24 02:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Aug 16 '24 03:08 k8s-triage-robot

/remove-lifecycle rotten

ameukam avatar Aug 16 '24 19:08 ameukam