Hi, I’m using the following script to get pulumi to show a preview of a PRs changes to a GKE cluster:

yarn --frozen-lockfile
pulumi stack select ...
pulumi refresh --yes
pulumi preview --diff

However, I get the following error when I run it in CI:

[2019-04-30T20:10:12Z] + pulumi refresh --yes
[2019-04-30T20:10:13Z] Previewing refresh (...):
[2019-04-30T20:10:14Z]
...
[2019-04-30T20:10:14Z]  ~  gcp:container:NodePool dogfood-full-k8s-node-pool refreshing error: Preview failed: refreshing urn:pulumi:ds-dog-k8s-dev::sg-deploy-k8s-helper::gcp:container/nodePool:NodePool::dogfood-full-k8s-node-pool: Error reading Container NodePool dogfood-full-k8s-node-pool: googleapi: Error 403: Request had insufficient authentication scopes., forbidden
[2019-04-30T20:10:14Z] ~ gcp:container:Cluster dogfood-full-k8s refreshing error: Preview failed: refreshing urn:pulumi:ds-dog-k8s-dev::sg-deploy-k8s-helper::gcp:container/cluster:Cluster::dogfood-full-k8s: Error reading Container Cluster "dogfood-full-k8s": googleapi: Error 403: Request had insufficient authentication scopes., forbidden

I gave the service account that pulumi uses the

Editor

and

Kubernetes Engine Developer

roles: https://cloud.google.com/kubernetes-engine/docs/how-to/iam Do you know if I need to give it any more permissions?

Personally I've hit this before, and I was never been able to figure out the full set of permissions I need to give to the service account used for GKE. This page may help? https://cloud.google.com/kubernetes-engine/docs/how-to/iam. In particular, it seems to suggest that

Kubernetes Engine Developer

is likely insufficient.