Assigned
Status Update
No update yet.
Comments
pr...@google.com
I had the same problem!
I could solve it by putting the .aidl file in an aidl directory.
Look at the attached screenshot to see the project structure.
I could solve it by putting the .aidl file in an aidl directory.
Look at the attached screenshot to see the project structure.
Description
Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.
Problem you have encountered:
Impersonated service account is able to manipulate resources in project where the corresponding API is disabled.
-> Here is the customer's use case:
Project A, Kubernetes API disabled
Project B, Kubernetes API disabled
Service account (SA) is created in Project A
SA is added to Project B with role Owner
If this command[1] is run, gets the expected output[2]
-> Next time, user enabled the Kubernetes API in Project A (but keep the API disabled in Project B), the command[1] successfully creates a cluster in Project B. Navigating to the Project B Kubernetes UI, it still shows the API as disabled. When they enabled the API, the cluster already exists
What you expected to happen:
It seems strange that the API does NOT need to be enabled where the resource is being created. At the very least, this can lead to a lot of confusion when users are billed for a resource that they can't even see.
API needs to be enabled where the resource is being created.
Steps to reproduce:
> Take 2 projects. Disable Kubernetes API is both projcets for eg: Project A and Project B. Create service account in project A. Run the command[1], you will see the output[2]
->Now enable Kubernetes API in Project A (but keep the API disabled in Project B), the command[1] successfully creates a cluster in Project B. Navigating to the Project B Kubernetes UI, it still shows the API as disabled.
-> Enable Kubernetes API in project B. Now you will see the cluster has been created and existed.
Other information (workarounds you have tried, documentation consulted, etc):
[1] gcloud container clusters create [CLUSTER-NAME] --zone us-west1 --node-locations us-west1-a --impersonate-service-account <SA> --project <Project B>
[2] ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in project [PROJECT-NUMBER] before or it is disabled. Enable it by visiting