Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't attach custom role to service account or container

See original GitHub issue

I created a custom role that consists of some permission but when I tried to attach it to service account or container programatically it always give error. Is it not supported yet? If it is supported how can I attach it to service account or container?

My code are as follow: In Google Cloud Storage

Policy policy = storage.getIamPolicy(bucketName);

Policy updatedPolicy = storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(Role.of("roles/CustomRole341"), Identity.serviceAccount(emailServiceAccount)).build());

ServiceAccount user = findServiceAccount(iam, username, projectName);
List<String> member = new ArrayList<String>();
member.add(Identity.serviceAccount(user.getEmail()).toString());

Binding s = new Binding();
s.setRole("roles/CustomRole341");
s.setMembers(member);

List<Binding> bindings = new ArrayList<Binding>();
bindings.add(s);

Policy a = new Policy();
a.setBindings(bindings);

SetIamPolicyRequest req = new SetIamPolicyRequest();
req.setPolicy(a);

iam.projects().serviceAccounts().setIamPolicy("projects/" + projectName + "/serviceAccounts/" + username +  "@" + projectName + ".iam.gserviceaccount.com" , req).execute()

Issue Analytics

State:
Created 6 years ago
Comments:12 (2 by maintainers)

Top GitHub Comments

24reactions

danawillowcommented, Jan 22, 2018

Just updating here too- I posted in https://github.com/terraform-providers/terraform-provider-google/issues/993 that the reason this is happening is that the name of custom roles has to be in the form projects/{project-id}/roles/{role-id}- omitting the project will cause it to fail, just as it would fail if you typo-ed the name of the role.

0reactions

rjurneycommented, Feb 9, 2020

Just updating here too- I posted in terraform-providers/terraform-provider-google#993 that the reason this is happening is that the name of custom roles has to be in the form projects/{project-id}/roles/{role-id}- omitting the project will cause it to fail, just as it would fail if you typo-ed the name of the role.

Actually, I get this error and forward slash is an invalid character:

ERROR: (gcloud.iam.roles.create) INVALID_ARGUMENT: The role_id "projects/project/roles/my_role" is invalid. It doesn't match pattern "[a-zA-Z0-9_\.]{3,64}". The role_id must be 3 to 64 characters long and can be a mix of uppercase and lowercase English letters, digits, underscores and periods.

Top Results From Across the Web

Creating and managing custom roles - IAM - Google Cloud

This page describes how to create and manage Identity and Access Management (IAM) custom roles. Managing roles includes modifying, disabling, listing, ...

gcloud - Can't create role for service account because it is "not ...

You are trying to bind the service account identity to itself. Your command is used to grant other identities permission to use the...

Troubleshoot IAM role issues with service accounts in Amazon ...

Short description To resolve issues using the IAM roles for service accounts feature, try the following: Verify that you have an IAM OpenID...

Assign role to Service account - Google Cloud - YouTube

Role assignment is very crucial for application security. Make sure that you assign only required privileges and nothing more.

How to fix permission errors in pods using service accounts

The pod encountered permission errors because a user is running it without sufficient privileges. Log in as a user with the cluster admin...