CLOUDSDK_CORE_PROJECT env var

[bygui86]

Hi guys,

I use GKE, so I tried to run the command rbac-lookup --output wide --gke but I received an error

Could not load IAM policy for ceiba-platform-prod project from parsed kubeconfig
No project ID found in default GCP credentials
Error loading RBAC Bindings: Error loading IAM policies for GKE, try setting CLOUDSDK_CORE_PROJECT environment variable

I tried to set CLOUDSDK_CORE_PROJECT = my-cool-project and I receive a different error:

Could not load IAM policy for my-cool-project project from parsed kubeconfig
No project ID found in default GCP credentials
Could not load IAM policy for my-cool-project project from CLOUDSDK_CORE_PROJECT environment variable
Error loading RBAC Bindings: Post https://cloudresourcemanager.googleapis.com/v1/projects/my-cool-project:getIamPolicy?alt=json&prettyPrint=false: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

I tried to look for CLOUDSDK_CORE_PROJECT in your doc or in Gcloud SDK doc, but I don't find any info about how to set this environment variable.

Can you please add such info to the README or in https://rbac-lookup.docs.fairwinds.com/gke/ ?

Thanks :)

[sudermanjr]

I opened up a PR that adds a note about configuring access via the cloud. From the output you shared, it looks like you don't have permissions to view that project in Gcloud.

Try following this doc to setup gcloud access to your account: https://cloud.google.com/sdk/docs/quickstart

[bygui86]

@sudermanjr I'm the owner of the project in GCP, I have access to the cluster and I configured gcloud and kubectl properly on my local... in fact all kubectl commands work perfectly... even rbac-lookup works, only rbac-lookup --gke doesn't...

Normally when I see an error like bad request, the first thing I think is that the request is wrong... for a permission problem, the server would answer with 401 Unauthorised or 403 Forbidden instead of 400 Bad request...

[sudermanjr]

No project ID found in default GCP credentials

So not a permissions problem, but a gcloud credentials configuration problem. What happens if you run gcloud config list ?

To be honest, I'm not 100% familiar with the GKE portion of the code. I did just test against one of our gke clusters and did not get any errors, so I don't believe it's a bug.

Also, can you share the version of rbac-manager you are running?

[bygui86]

here the anonymized output of gcloud config list:

[container]
cluster = my-cool-cluster
[core]
account = [email protected]
disable_usage_reporting = False
project = my-cool-project

Your active configuration is: [default]

rbac-manager version: v0.10.1
rbac-lookup version: Version:0.6.2 Commit:030e2484220cd353fa2026b808f5ff0ee1094876

do I need rbac-manager on the cluster to successfully use rbac-lookup?

as I already had some problems for this, it's worth mentioning that our GKE cluster is PRIVATE. Do you think it could cause problems?

[sudermanjr]

Rbac-manager is not required for rbac-lookup.

That's interesting. I don't think private should break it, but I'm not sure I've tried honestly.

[bygui86]

@sudermanjr of course I'm not sure if it's a bug.
But from what I read in docs and what I see, there is no reason why rbac-lookup doesn't work.

[sudermanjr]

Yeah, it very well could be a bug. I'll tag this as a bug and we can try to look further.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.