I am trying to add roles/redis.dbConnectionUser to a service account in GCP but I am getting an error.

apiVersion: iamrm.cloud.google/v1beta1
kind: IAMPartialPolicy
metadata:
  name: roles-at-sa-level
spec:
  resourceRef:
    kind: IAMServiceAccount
    external: projects/my-project/serviceAccounts/[email protected]
  bindings:
  - role: roles/redis.dbConnectionUser
    members:
    - member: "serviceAccount:[email protected]"

Error:

Events:
  Type     Reason        Age   From                         Message
  ----     ------        ----  ----                         -------
  Warning  UpdateFailed  12s   iampartialpolicy-controller  Update call failed: error setting policy: error applying changes: summary: Error setting IAM policy for service account 'projects/my-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/redis.dbConnectionUser is not supported for this resource., badRequest

However, I can assign the below roles successful

  - role: roles/iam.serviceAccountTokenCreator
  - role: roles/iam.workloadIdentityUser

I think this is because the role is not yet GA as shown inthe documentation

ID - roles/redis.dbConnectionUser
Role launch stage - Beta

I am trying to add roles/redis.dbConnectionUser to a service account in GCP but I am getting an error.

apiVersion: iam.cnrm.cloud.google/v1beta1
kind: IAMPartialPolicy
metadata:
  name: roles-at-sa-level
spec:
  resourceRef:
    kind: IAMServiceAccount
    external: projects/my-project/serviceAccounts/[email protected]
  bindings:
  - role: roles/redis.dbConnectionUser
    members:
    - member: "serviceAccount:[email protected]"

Error:

Events:
  Type     Reason        Age   From                         Message
  ----     ------        ----  ----                         -------
  Warning  UpdateFailed  12s   iampartialpolicy-controller  Update call failed: error setting policy: error applying changes: summary: Error setting IAM policy for service account 'projects/my-project/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/redis.dbConnectionUser is not supported for this resource., badRequest

However, I can assign the below roles successful

  - role: roles/iam.serviceAccountTokenCreator
  - role: roles/iam.workloadIdentityUser

I think this is because the role is not yet GA as shown inthe documentation

ID - roles/redis.dbConnectionUser
Role launch stage - Beta

• google-cloud-platform
• cloud
• gcp-config-connector

Share Improve this question Follow asked Mar 10 at 18:08 SHCSHC 60511 gold badge99 silver badges2323 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You're correct that the roles/redis.dbConnectionUser is currently in Beta. As of now, the only supported role for Cloud Memorystore Redis DB Connection User is redis.clusters.connect. To explore all the basic and predefined roles for Identity and Access Management (IAM), you can refer to this page : Memorystore Redis roles