Terraform gcp with shared vpc, gke

I am writing terraform file in GCP to create a shared vpc, GKE, compute engine in the service project of shared vpc.

I am facing an error for GKE saying error

403 permission error service.hostagent even though it has required permissions. 

And also I am using service account key. Not sure whether it's correct approach like I created service account in host project and I added that service account id in the iam of service project. Using host project service key. Is that right approach?.

Thanks.

1 answer

  • answered 2021-06-18 11:10 Priya Gaikwad

    While creating a shared VPC, sharing the subnet from host project to service project allows all the members mentioned in the service account of the service project.

    From the error message, it looks like IAM permissions are missing. While creating a shared VPC with GKE, make sure that you have following permissions:

    1. To create a shared VPC, a shared VPC admin role is required(which you seemingly already have).

    2. To share your subnets, you need to give users the Compute Network User role.

    3. While creating GKE configuration, make sure to enable Google Kubernetes Engine API in all projects. Enabling the API in a project creates a GKE service account for the project.

    4. When attaching a service project, enabling Kubernetes Engine access grants the service project's GKE service account the permissions to perform network management operations in the host project.

    5. Each service project's GKE service account must have a binding for the Host Service Agent User role on the host project. This role is specifically used for shared VPC clusters which include the following permissions:

      a) compute.firewalls.get

      b) container.hostServiceAgent.*

    For additional information, you can see here.