我仍然想知道应该如何做才能改变服务帐户的用户。假设我有两个服务帐户(A和B),每个用户在不同的项目中具有不同的角色。在完成使用用户B后,当我想更改为服务帐户A并访问资源时,gcloud命令显示
Error from server (Forbidden): pods is forbidden: User "user-B@project.iam.gserviceaccount.com" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).
我已经用gcloud config set account [service-account]更改了我的服务帐户用户,但gcloud仍然读取另一个服务帐户。我错过什么了吗?
这里有一个我认为你正在做的人为的例子:
# gcloud is using my regular User credentials
gcloud config get account
me@gmail.com
# Access GKE as me@gmail.com
kubectl get pods --namespace=default
pod/foo-c7b7995df-vxrmh
# Authenticate as a GCP Service Account with **no** permissions
EMAIL="{ACCOUNT}@{PROJECT}.iam.gserviceaccount.com"
gcloud auth activate-service-account ${EMAIL}
--key-file=${KEY_FILE}
# gcloud is now using the Service Account credentials
gcloud config get account
${EMAIL}
# Using new GKE auth plugin
gke-gcloud-auth-plugin
| jq -r .status.expirationTimestamp
2022-00-00T17:10:00Z
# Need to either delete the token
# Or wait until 17:10 for it to expire
# Then...
kubectl get pods --namespace=default
Error from server (Forbidden): pods is forbidden: ...
Error from server (Forbidden): pods is forbidden: User "{ACCOUNT}@{PROJECT}.iam.gserviceaccount.com" cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s).
一个解决方案是授予GCP (!)Service Account具有列出pod权限的Kubernetes引擎角色之一,即container.pods.*,它是roles/container.developer的一部分:
# Grant the Service Account Kubernetes Engine role
ROLE="roles/container.developer"
gcloud projects add-iam-policy-binding ${PROJECT}
--member=serviceAccount:${EMAIL}
--role=${ROLE}
# Try again
kubectl get pods --namespace=default --output=name
pod/foo-c7b7995df-vxrmh