Login/Register
gcloud: The user does not have access to service account "default"
Asked Answered
google-cloud-platformgcloudservice-accounts
M

6

19

I attempting to use an activated service account scoped to create and delete gcloud container clusters (k8s clusters), using the following commands:

gcloud config configurations create my-svc-account \
   --no-activate \
   --project myProject


gcloud auth activate-service-account [email protected] \
   --key-file=/path/to/keyfile.json \
   --configuration my-svc-account

gcloud container clusters create a-new-cluster \
   --configuration my-svc-account \
   --project= my-project
   --zone "my-zone"

I always receive the error:

...ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".

How do I grant my-svc-account access to the default service account for GKE?

Mekka answered 1/11, 2016 at 20:10 Comment(1)
Note that gcloud config configurations create my-svc-account --no-activate --project myproject does not set project in created configuration. In fact --project does not do anything.Socialminded
M
35

After talking to Google Support, the issue was that the service account did not have a "Service Account User" permissions activated. Adding "Service Account User" resolves this error.

Mekka answered 11/11, 2016 at 21:11 Comment(3)
Cheers. This definitely did it. Only thing to note is that the role is now called "Service Account User".Shurlock
for more info on the above point see cloud.google.com/iam/docs/…Valgus
you just saved my nervous system. Thank youCobble
B
14

Add the following role to the service account who makes the operation:

Service Account User

Also see:

Bedazzle answered 28/8, 2018 at 9:36 Comment(1)
work well for me, my case, I call ssh from Google Cloud Build to Google Engine VM InstanceVudimir
A
1

For those that ended up here trying to do an Import of Firebase Firestore documents with a command such as:

gcloud beta firestore import --collection-ids='collectionA','collectionB' gs://YOUR_BUCKET

I got around the issue by doing the following:

  1. From the Google Cloud Console Storage Bucket Browser, add the service account completing the operation to the list of members with a role of Storage Admin.
  2. Re-attempt the operation.

For security, I revoked the role after the operation completed, but that's optional.

Atrice answered 5/12, 2018 at 5:56 Comment(0)
S
1

iam.serviceAccounts.actAs is the exact permission you need from Service Account User

Selves answered 28/4, 2022 at 13:15 Comment(0)
S
1

I was getting the The user does not have access to service account... error even though I added the Service Account User role as others have suggested. What I was missing was the organization policy that prevented service account impersonation across projects. This is explained in the docs: https://cloud.google.com/iam/docs/impersonating-service-accounts#enabling-cross-project

Scoter answered 1/11, 2022 at 5:28 Comment(2)
FYI: I was not able to "see" this policy in the UI at console.cloud.google.com/iam-admin/orgpolicies/list but according to cloud.google.com/build/docs/securing-builds/… it is enabled by default ("In the project that has your user-specified service account, ensure that the iam.disableCrossProjectServiceAccountUsage organization policy constraint is not enforced. This constraint is enforced by default.")Tarton
Follow-Up: I was able to see it in the UI when selecting the affected project (previously I had the organization selected as project). To disable it, I needed the role "Organization Policy Administrator" and it can be disabled "per project" (so not for the whole org) via https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableCrossProjectServiceAccountUsage/edit?project=$home-project-of-service-account After a couple of minutes the change became effective and the (misleading) error went awayTarton
F
0

Added Service Account User role to service account and it worked for me.

Footbridge answered 23/6, 2021 at 8:48 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.