2

The service account integrated with Bitbucket is unable to list projects:

gcloud projects list

#=>

Listed 0 items.

or set $MY_PROJECT:

gcloud config set project $MY_PROJECT

#=>

Updated property [core/project].

because the output above is immediately followed by this warning:

WARNING: You do not appear to have access to project [$MY_PROJECT] or it does not exist

The warning above contradicts the output of the following:

gcloud config list --format="value(core.project)"

#=>

$MY_PROJECT

Are there any missing steps or prerequisites in order to properly authorize this service account to list and set $MY_PROJECT?

My bitbucket-pipelines.yaml file:

name: Test google auth
image: google/cloud-sdk:latest
script:
  - echo $KEY_FILE | base64 --decode --ignore-garbage > ~/google-key.json
  - gcloud auth activate-service-account --key-file ~/google-key.json
  - gcloud projects list
  - gcloud config set project $MY_PROJECT
  - gcloud container clusters get-credentials $MY_CLUSTER --region $REGION
services:
  - docker
Mike
  • 1,080
  • 1
  • 9
  • 25
HosamEmam
  • 23
  • 3

5 Answers5

0

What permissions do you set for the service account ? Did you add the below permission? 

resourcemanager.projects.get
resourcemanager.projects.list
Vishnu Nair
  • 1,399
  • 1
  • 14
  • 21
  • Can you double check if the authentication is correct when you run gcloud auth activate-service-account --key-file ~/google-key.json` – Vishnu Nair May 11 '20 at 16:37
  • What do you mean exaclty by correct? when i run gclud auth list it displayed the activated account which is the correct account – HosamEmam May 13 '20 at 13:10
  • I think you are running this from the CI/CD pipeline, right? When you run the gcloud auth list in your local terminal, whether you use the same service account key? ~/google-key.json ? Because there can also be some error when your decode the key using base64 – Vishnu Nair May 13 '20 at 20:44
  • Actually when i run this on my local machine `gcloud auth activate-service-account --key-file mykey.json` -------- I got this error ----------- `ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values in the JWT claim.` - the file not encoded – HosamEmam May 14 '20 at 15:57
  • That is why you are not able to list the project. I think you either need to create a new token file with the right permissions – Vishnu Nair May 14 '20 at 18:11
0

Check with gcloud auth list the active account that is using your Cloud SDK and then check also that it has the proper permissions on your project.

llompalles
  • 3,072
  • 11
  • 20
0

If you successfully activate the service account as follows:

gcloud auth activate-service-account --key-file service-account-key.json

and you can see it as the ACTIVE one after executing the following:

gcloud auth list

and still, get ZERO items

Listed 0 items.

after executing the following:

gcloud projects list

THEN

Make sure to add your service account as a member to your Organization beside the project and assign it a Viewer role.

Ahmed Yehia
  • 138
  • 1
  • 8
0

The

WARNING: You do not appear to have access to project [$PROJECT_ID] or it does not exist.

warning will appear unless there exists at least one role granted to the service account that contains the resourcemanager.projects.get permission.

Google Cloud accounts and permissions have an extra abstraction layer between them: roles. You cannot grant permissions directly to a user or service account; you can only link users with roles and roles with permissions. More on GCP roles here.

You need to either:

  • Update at least one of the custom roles associated with the service account with the permissions listed above:

    gcloud iam roles update $ROLE \
--add-permissions=resourcemanager.projects.get \
--project=$PROJECT_ID

#=>

description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
. . .
- resourcemanager.projects.get
. . .
name: projects/$PROJECT_ID/roles/$ROLE
stage: . . .
title: $ROLE_TITLE

    Warning: make sure to use the --add-permissions flag here when updating, as the --permissions flag will remove any other permissions the custom role used to have.

  • Create a custom role:

    gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=resourcemanager.projects.get \
--project=$PROJECT_ID \
--title='$ROLE_TITLE'

#=>

Created role [$ROLE].
description: $ROLE_DESCRIPTION
etag: . . .
includedPermissions:
- resourcemanager.projects.get
name: projects/$PROJECT_ID/roles/$ROLE
stage: . . .
title: $ROLE_TITLE

    and associate it with the service account:

    gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:$SERVICE_ACCOUNT \
--role=projects/$PROJECT_ID/roles/$ROLE

#=>

Updated IAM policy for project [$PROJECT_ID].
auditConfigs:
. . .

  • Associate the service account with a curated role that already contains the resourcemanager.projects.get permission, which has been discussed above.

    If you want to know which curated roles already contain the resourcemanager.projects.get permission and don't want to craft a complex shell loop, it might be easier to go here and filter all roles by Permission:resourcemanager.projects.get.

Note: if you are running into issues, be sure to read the requirements for granting access to resources here.

Note: if you are wondering about the resourcemanager.projects.list permission, it is only grantable to organization-level roles:

gcloud iam roles create $ROLE \
--description="$ROLE_DESCRIPTION" \
--permissions=resourcemanager.projects.list \
--project=$PROJECT_ID \
--title='$ROLE_TITLE'

#=>

ERROR: (gcloud.iam.roles.create) INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid.

More on this limitation here.

Mike
  • 1,080
  • 1
  • 9
  • 25
0

set new sv account as active in terminal:

gcloud config set account  cloud-sql-sv-account@xyz.iam.gserviceaccount.com

Then authenticate using this sv account:

gcloud auth activate-service-account --key-file=<path to json sv key>
Aseem
  • 5,848
  • 7
  • 45
  • 69