Grant storage viewer to created service accounts

[c4m4]

I am creating a testing gke cluster using this module, everything works, but after the cluster is being created, docker fails to pull images from gcr private repository, because the service account created by this modules doesn't has the roles/storage.objectViewer

In the sa.tf I don't see nothing for the needed role:

resource "google_service_account" "cluster_service_account" {
  count        = var.service_account == "create" ? 1 : 0
  project      = var.project_id
  account_id   = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}"
  display_name = "Terraform-managed service account for cluster ${var.name}"
}

resource "google_project_iam_member" "cluster_service_account-log_writer" {
  count   = var.service_account == "create" ? 1 : 0
  project = google_service_account.cluster_service_account[0].project
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_iam_member" "cluster_service_account-metric_writer" {
  count   = var.service_account == "create" ? 1 : 0
  project = google_project_iam_member.cluster_service_account-log_writer[0].project
  role    = "roles/monitoring.metricWriter"
  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" {
  count   = var.service_account == "create" ? 1 : 0
  project = google_project_iam_member.cluster_service_account-metric_writer[0].project
  role    = "roles/monitoring.viewer"
  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

[morgante]

Correct, this module doesn't include the storage viewer role by default (not all customers use GCR).

We could possibly add a flag to add that role. For now, you can also add it yourself:

resource "google_project_iam_member" "cluster_service_account-gcr" {
  project = var.project
  role    = "roles/storage.objectViewer"
  member  = "serviceAccount:${module.gke.service_account}"
}

[c4m4]

Thanks, that solved the issue, but have an option could be nice :)

[morgante]

Agreed. I suggest we add a boolean variable grant_registry_access to the module. If it is true, then a google_project_iam_member block will be included granting the objectViewer role.