尝试按照 cert-manager 将 kubernetes 服务帐户链接到 GCP 服务帐户我需要运行此命令:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:$PROJECT_ID.svc.id.goog[cert-manager/cert-manager]" \
dns01-solver@$PROJECT_ID.iam.gserviceaccount.com \
--project=$PROJECT_ID
但不断出现错误:
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) PERMISSION_DENIED:
Permission 'iam.serviceAccount.setIamPolicy' denied on
resource (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: iam.googleapis.com
metadata:
permission: iam.serviceAccount.setIamPolicy
reason: IAM_PERMISSION_DENIED
我已将这些权限附加到 GCP 服务帐户 (
dns01-solver@$PROJECT_ID.iam.gserviceaccount.com
):
DNS Administrator
Project IAM Admin
Service Account Token Creator
Service Account User
Workload Identity User
但我不断收到同样的错误。
此外,Kubernetes 服务帐户 cert-manager 确实存在于名称空间 cert-manager 中,如下所示:
这是它的描述输出:
只需将
roles/iam.serviceAccountAdmin
添加到我的个人帐户,即可触发此处指定的 gcloud 命令:https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity