Create Binding - Unable to extrace resource containers

[Evesy]

I've managed to get the GCP broker fully working in other projects, however in this instance while I can create ServiceInstance resources OK, attempting to create a ServiceBinding gives forbidden errors (This was a brand new project/cluster)

SC version: 0.1.1 darwin/amd64 (Built from master)
Kubectl version:

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:53:20Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.5-gke.5", GitCommit:"9aba9c1237d9d2347bef28652b93b1cba3aca6d8", GitTreeState:"clean", BuildDate:"2018-12-11T02:36:50Z", GoVersion:"go1.10.3b4", Compiler:"gc", Platform:"linux/amd64"}

(Gcloud config is set with the right project and zone corresponding to the Kubernetes master for good measure. gcloud auth login and gcloud auth application-default login have both been completed.)

Reproduction steps:

• Create admin role binding:
  kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=<>@gmail.com

• sc check -- Passed

• sc install -- Passed

• sc add-gcp-broker:

using project:  service-catalog-228316
enabling a GCP API: servicebroker.googleapis.com
enabling a GCP API: bigquery-json.googleapis.com
enabling a GCP API: bigtableadmin.googleapis.com
enabling a GCP API: ml.googleapis.com
enabling a GCP API: pubsub.googleapis.com
enabling a GCP API: spanner.googleapis.com
enabling a GCP API: sqladmin.googleapis.com
enabling a GCP API: storage-api.googleapis.com
enabled required APIs:
  servicebroker.googleapis.com
  bigquery-json.googleapis.com
  bigtableadmin.googleapis.com
  ml.googleapis.com
  pubsub.googleapis.com
  spanner.googleapis.com
  sqladmin.googleapis.com
  storage-api.googleapis.com
generated the key at:  /tmp/service-catalog-gcp010694066/key.json
The Service Broker has been added successfully.

• Create a ServiceInstance, for example the below:

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: my-example-bucket
spec:
  clusterServiceClassExternalName: cloud-storage
  clusterServicePlanExternalName: beta
  parameters:
    bucketId: my-example-bucket
    location: EU
    versioning:
      enabled: true

• Bucket is created in GCP, svcat get instance shows it in a Ready state

• Try to create a ServiceBinding to that Instance, with the below:

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: storage-binding
spec:
  instanceRef:
    name: my-example-bucket
  parameters:
    serviceAccount: storage-user
    createServiceAccount: true
    roles:
      - roles/storage.admin

• The binding enters a Failed state, describing it shows the below message:

  Status:      Failed - Bind call failed: operation "projects/956662776668/operations/ad3a2b12-153a-11e9-862a-0a580a34001a/1547167738169839785" failed: generic::internal: operation projects/956662776668/operations/ad3a2b12-153a-11e9-862a-0a580a34001a/1547167738169839785 create binding deployment failed: generic::invalid_argument: Operation "operation-1547167739010-57f240f7ddbd1-ec2331d6-ee5d7fdb" failed with
               : [{"code":"RESOURCE_ERROR","location":"/deployments/bfac2d24a-7afc-4124-a52f-e46945778ee2/resources/service-account","message":"{\"ResourceType\":\"iam.v1.serviceAccount\",\"ResourceErrorCode\":\"403\",\"ResourceErrorMessage\":{\"code\":403,\"message\":\"Unable to extract resource containers.\",\"status\":\"PERMISSION_DENIED\",\"details\":[],\"statusMessage\":\"Forbidden\",\"requestPath\":\"https://iam.googleapis.com/v1/projects/service-catalog-228300/serviceAccounts/svct-demo-user@service-catalog-228300.iam.gserviceaccount.com\",\"httpMethod\":\"GET\"}}"}] @ 2019-01-11 00:49:16 +0000 UTC

I can see the corresponding error in the API metrics for google.iam.admin.v1.IAM.GetServiceAccount but it's not clear to me which permissions are actually incorrect

I can see similar errors in the google oauth pod as per #213, unsure if related

[anouarchattouna]

Hello, this is how I'm making the cloud storage provisioning working :

• Even though the sample applications only use a single Google Cloud service, a typical application may use a number of different Google Cloud services.
  ==> I first create a cloud-iam-service-account instance (a single service account) to manage the authentication with all Google Cloud services

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: gcp-iam
  namespace: test-deploy
spec:
  # This should match with a SERVICE EXTERNAL NAME
  # in the list of available services.
  clusterServiceClassExternalName: cloud-iam-service-account
  # This should match with a PLAN EXTERNAL NAME
  # in the list of available service plans.
  clusterServicePlanExternalName: beta
  parameters:
    # The service account name length must be between 6 and 30 characters
    accountId: google-cloud-services-sa
    displayName: "A service account used to authenticate with all Google Cloud services"

• Then I create the binding for it

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: gcp-iam-binding
  namespace: test-deploy
spec:
  instanceRef:
    name: gcp-iam
  secretName: gcp-credentials

This way you will have a kubernetes secret (gcp-credentials) having the gcp credentials (privateKeyData)

• Now let's move to the cloud-storage instance

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
  name: storage-instance
  namespace: test-deploy
spec:
  clusterServiceClassExternalName: cloud-storage
  clusterServicePlanExternalName: beta
  parameters:
    location: europe-west1
    bucketId: bucket-d4dfcc6f-2a3a-4554-9f0c-efc9b5290944

• And the binding : note the usage of the previously created service account serviceAccount: google-cloud-services-sa

apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: storage-binding
  namespace: test-deploy
spec:
  instanceRef:
    name: storage-instance
  secretName: storage-credentials
  parameters:
    serviceAccount: google-cloud-services-sa
    roles:
      - roles/storage.objectCreator
      - roles/storage.objectViewer
      - roles/storage.admin

• When everything is ready, you can deploy your application. 3 steps are required

      volumes:
        # Make the 'gcp-credentials' secret available as volume
        # 'google-cloud-key'.
        - name: google-cloud-key
          secret:
            secretName: gcp-credentials

          volumeMounts:
            # Mount the 'google-cloud-key' volume into the container file
            # system.
            - name: google-cloud-key
              mountPath: /var/secrets/google

          env:
            # Pass the path to the private key JSON file from the mounted volume
            # to the environment variable.
            # the env var name must be GOOGLE_APPLICATION_CREDENTIALS
            - name: "GOOGLE_APPLICATION_CREDENTIALS"
              value: /var/secrets/google/privateKeyData
            # The two environment variables below come from the 'storage-credentials'
            # secret and, together, point at the Cloud Storage Bucket to use.
            # choose the env var name that have been used inside the app
            - name: "GOOGLE_CLOUD_STORAGE_PROJECT_ID"
              valueFrom:
                secretKeyRef:
                  # Use the projectId value from the 'storage-credentials' secret created
                  # as a result of binding to the Storage service instance.
                  name: storage-credentials
                  key: projectId
            # choose the env var name that have been used inside the app
            - name: "GOOGLE_CLOUD_STORAGE_BUCKET_ID"
              valueFrom:
                secretKeyRef:
                  # Use the topicId value from the 'storage-credentials' secret created
                  # as a result of binding to the Storage service instance.
                  name: storage-credentials
                  key: bucketId

• This way, you can easily add a pub/sub instance for example and use the same service account with additional roles.

Hope it helps.