Deploying to Google Kubernetes Engine specifies incorrect add-iam-policy-binding command #9401
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/guides/deploying-to-google-kubernetes-engine
What part(s) of the article would you like to see updated?
The section "Configuring a service account and storing its credentials" has this call documented:
gcloud projects add-iam-policy-binding $GKE_PROJECT \
--member=serviceAccount:$SA_EMAIL \
--role=roles/container.admin \
--role=roles/storage.admin \
--role=roles/container.clusterViewer
But it seems that add-iam-policy-binding can only take one --role argument at a time.
For instance, this will cause a failure during docker push:
denied: Token exchange failed for project '***'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
The example given is otherwise able to correctly auth with gcloud, configure docker, and get credentials for the GKE cluster, but then fails to push to gcr.io.
Looking through the output of add-iam-policy-binding, the new service account is only listed in the role: roles/container.clusterViewer section.
It seems that whatever the last --role given to add-iam-policy-binding is the role that will actually be applied to the binding without an error.
Additional information
No response
