GCP IAM Permission - Service Account not able to have permission

Question

In order to implement CI pipeline from github to gcp, I have configured workload identity.

SERVICE_ACCOUNT="xyz"

PROJECT_ID="ABC"

Service account created by the command:

gcloud iam service-accounts create "${SERVICE_ACCOUNT}" \
    --description="${SERVICE_ACCOUNT}" \
    --display-name="${SERVICE_ACCOUNT}"

Added principalSet by the following command:

gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_NAME}/attribute.repository/${ORG_NAME}/${REPOSITORY}"

Upto this point was working fine.

But using this account I want to provision infrastructure and deploy applications as well.

So I have used following command:

gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
    --member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role "roles/container.clusterAdmin"

Likewise some more roles to be added. But I have following error:

ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/container.clusterAdmin is not supported for this resource.

Any feedback how to obtain the rights?

Reference: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions

Answer 1

Add the IAM policy to the project and not to the service account.

gcloud iam projects add-iam-policy-binding "${PROJECT_ID} \
    --member "serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role "roles/container.clusterAdmin"