https://pulumi.com logo
#general
Title
# general
f

fierce-dinner-20116

04/30/2019, 8:19 PM
Hi, I’m using the following script to get pulumi to show a preview of a PRs changes to a GKE cluster:
Copy code
yarn --frozen-lockfile
pulumi stack select ...
pulumi refresh --yes
pulumi preview --diff
However, I get the following error when I run it in CI:
Copy code
[2019-04-30T20:10:12Z] + pulumi refresh --yes
[2019-04-30T20:10:13Z] Previewing refresh (...):
[2019-04-30T20:10:14Z]
...
[2019-04-30T20:10:14Z]  ~  gcp:container:NodePool dogfood-full-k8s-node-pool refreshing error: Preview failed: refreshing urn:pulumi:ds-dog-k8s-dev::sg-deploy-k8s-helper::gcp:container/nodePool:NodePool::dogfood-full-k8s-node-pool: Error reading Container NodePool dogfood-full-k8s-node-pool: googleapi: Error 403: Request had insufficient authentication scopes., forbidden
[2019-04-30T20:10:14Z] ~ gcp:container:Cluster dogfood-full-k8s refreshing error: Preview failed: refreshing urn:pulumi:ds-dog-k8s-dev::sg-deploy-k8s-helper::gcp:container/cluster:Cluster::dogfood-full-k8s: Error reading Container Cluster "dogfood-full-k8s": googleapi: Error 403: Request had insufficient authentication scopes., forbidden
I gave the service account that pulumi uses the
Editor
and
Kubernetes Engine Developer
roles: https://cloud.google.com/kubernetes-engine/docs/how-to/iam Do you know if I need to give it any more permissions?
w

white-balloon-205

04/30/2019, 9:04 PM
Personally I've hit this before, and I was never been able to figure out the full set of permissions I need to give to the service account used for GKE. This page may help? https://cloud.google.com/kubernetes-engine/docs/how-to/iam. In particular, it seems to suggest that
Kubernetes Engine Developer
is likely insufficient.
3 Views