admin管理员组文章数量:1225014
Following google docs on how to setup workload identity:
. I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command
gcloud projects add-iam-policy-binding projects/my-project \
--role=roles/container.clusterViewer \
--member=principal://iam.googleapis/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
--condition=None
And the response is:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.
Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created
gcloud iam workload-identity-pools list --location global
Following google docs on how to setup workload identity:
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity. I have enabled the GKE metadata server on all nodes as well as Workload Identity feature on the cluster level. However when attempting to add a IAM binding policy I get INVALID_ARGUMENT: Request contains an invalid argument.. A K8s service account named test-sa was already created in the default namespace. Example command
gcloud projects add-iam-policy-binding projects/my-project \
--role=roles/container.clusterViewer \
--member=principal://iam.googleapis.com/projects/my-project-number/locations/global/workloadIdentityPools/my-project-id.svc.id.goog/subject/ns/default/sa/test-sa \
--condition=None
And the response is:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Request contains an invalid argument.
I'm not sure what argument is invalid in the above command since I'm following the docs suggestions.
Additionally when enabling the workload identity on GKE it says its supposed to setup a pool but when I run the following no pools have been created
gcloud iam workload-identity-pools list --location global
1 Answer
Reset to default 0I was able to successfully set up a GKE Workload Identity using the document you’ve provided. For you to be able to run it successfully, make sure to use the correct Project Number, Project ID, Namespace and Kubernetes Service account.
To get the correct project name, number and ID use the command below:
gcloud projects describe PROJECT ID
To get the Namespace and KSA use this command:
kubectl get namespaces
kubectl get serviceaccount -n <namespace-name>
Hope this helps
本文标签: google cloud platformUnable to setup GKE workload identity invalid argumentStack Overflow
版权声明:本文标题:google cloud platform - Unable to setup GKE workload identity invalid argument - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1739447475a2163532.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
gcloud projects add-iam-policy-bindingrequires a Project ID (you haveprojects/my-project). I think the documentation is incorrect on this point. – DazWilkin Commented Feb 5 at 19:50projects/but still get the same response. – Chris Recalis Commented Feb 6 at 1:37