Sudden permissions denied for service account

Question

I Have a ServiceAccount that has permissions to do all sort of things on my GCP project, and a Jenkins pipeline that runs on nightly basis and shutdown one of my GKE environments.
Few days ago i've started noticing random failures on fetching credentials for the cluster, while running the same pipeline again works.

i have the following block of code:

gcloud auth activate-service-account --key-file=****
gcloud container clusters get-credentials integration-cluster --zone europe-west1-c --project integration-project

the thing is, on nights it failed i see the following error:

00:00:45  Activated service account credentials for: [jenkins-user@integration-project.iam.gserviceaccount.com]
00:00:46  Fetching cluster endpoint and auth data.
00:00:46  ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/integration-project/zones/europe-west1-c/clusters/integration-cluster".

like the serviceAccount if lack of permissions on the project, but nothing has changed and rerun works.

what can be the reason for this? it looks like a bug but....where? i'm using now Google Cloud SDK 319.0.0.

10x

Did you figure it out? What was the solution? – Gudmundur Orn Aug 16 '22 at 10:07 — Gudmundur Orn, Aug 16 '22 at 10:07

Serhii Rohoza · Answer 1 · 2020-12-02T10:20:30.377

Error message message=Required "container.clusters.get" permission(s) means that your service account doesn't have container.clusters.get permission.

Accordingly to the documentation Understanding roles section Kubernetes Engine roles roles roles/container.clusterViewer and roles/container.clusterAdmin contain this permission.

To solve this issue you can grant to your service account role that contains permission container.clusters.get. The least-privileged IAM role that provides this permission is roles/container.clusterViewer. For more details please have a look at the documentation Understanding service accounts section Granting access to service accounts.

If your service account has all the required permissions you can file an issue report at Google Public Issue Tracker or reach Google Cloud Support.

@user14242404 - Does this answer resolve your issue? If so, please [accept it](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work). — Sergiusz, Mar 03 '21 at 08:21

Sudden permissions denied for service account

1 Answers1