terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

hub default service account does not have access

Open richiefrich opened this issue 3 years ago • 4 comments

TL;DR

So when I run the fleet module it doesn't have access to my GKE clusters with the service account it is using. But I see no way of telling it what service account to use.

Error: Error creating Membership: googleapi: Error 403: hub default service account does not have access to the GKE cluster project for "//container.googleapis.com/projects/ss-pp-core-sb/locations/us-central1-a/clusters/uat-01"

Expected behavior

I would think the module would use the SA that I am running as or use the node-pool SA. As those both have roles/gkehub.admin roles. This is the role I found here https://cloud.google.com/anthos/fleet-management/docs/before-you-begin

Please let me know what I am missing thanks!

Observed behavior

Error: Error creating Membership: googleapi: Error 403: hub default service account does not have access to the GKE cluster project for "//container.googleapis.com/projects/ss-pp-core-sb/locations/us-central1-a/clusters/uat-01"

Terraform Configuration

/**************************
      FLEET Membership
  ***************************/
module "hub-primary" {
  source                            = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership"
  version                           = "23.0.0"

  enable_fleet_registration         = true
  cluster_name                      = module.primary-cluster.name
  location                          = module.primary-cluster.location
  membership_name                   = "${module.primary-cluster.name}-membership"
  project_id                        = var.project_id

  depends_on                        = [module.primary-cluster.endpoint]
}

Terraform Version

terraform version
Terraform v1.1.9

Additional information

No response

richiefrich avatar Sep 10 '22 13:09 richiefrich

What Service Account needs the role roles/gkehub.admin? Because I am not seeing a SA being created,so I have no idea what one it is even using.

richiefrich avatar Sep 11 '22 17:09 richiefrich

It looks like you may need to grant the Fleet default service account additional permissions in the GKE cluster's project. Check out https://cloud.google.com/anthos/fleet-management/docs/troubleshooting#error_in_registering_a_gke_cluster_from_a_different_project_than_fleet and https://cloud.google.com/anthos/fleet-management/docs/before-you-begin/gke#gke-cross-project for more information.

sjvanrossum avatar Sep 12 '22 21:09 sjvanrossum

@sjvanrossum thanks I wish this was listed in the module prerequisite

richiefrich avatar Sep 13 '22 12:09 richiefrich

Thanks for the report @richiefrich and for debugging @sjvanrossum I believe setting var.hub_project_id to the hub project should let the module grant the agent gkehub.serviceAgent role in the var.project_id where the cluster resides.

bharathkkb avatar Sep 16 '22 02:09 bharathkkb

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Nov 15 '22 23:11 github-actions[bot]