CDP on GCP: Error during teardown of Operational GCP Service Accounts Policies
jimright opened this issue · 0 comments
Details
During teardown of a CDP environment on GCP, get an error when "Tear down Operational GCP Service Accounts Policies" in the platform role.
Failing Ansible Task: cloudera.exe.platform : Tear down Operational GCP Service Accounts Policies. Code link below:
Error message (snippet):
{
"changed": true,
"stdout": "",
"stderr": "ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!",
"rc": 1,
"cmd": [
"gcloud",
"projects",
"remove-iam-policy-binding",
"<GCP_PROJECT>",
"--member=serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com",
"--role=projects/<GCP_PROJECT>/roles/jegcpt_logs_role",
"--all"
],
"start": "2022-02-24 16:50:01.181110",
"end": "2022-02-24 16:50:03.351317",
"delta": "0:00:02.170207",
"msg": "non-zero return code",
"invocation": {
"module_args": {
"_raw_params": "gcloud projects remove-iam-policy-binding <GCP_PROJECT> --member=serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com --role=projects/<GCP_PROJECT>/roles/jegcpt_logs_role --all\n",
"warn": true,
"_uses_shell": false,
"stdin_add_newline": true,
"strip_empty_ends": true,
"argv": null,
"chdir": null,
"executable": null,
"creates": null,
"removes": null,
"stdin": null
}
},
"stdout_lines": [],
"stderr_lines": [
"ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!"
],
"_ansible_no_log": false,
"failed_when_result": true,
"__gcp_binding_item": {
"member": "serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com",
"role": "projects/<GCP_PROJECT>/roles/jegcpt_logs_role"
},
"ansible_loop_var": "__gcp_binding_item",
"_ansible_item_label": "__gcp_binding_item.member"
}
Reason for error
This tasks attempts to remove GCP IAM role & policy bindings from the their associated service accounts. However these service accounts have already been removed in a previous task (L54-L66 Tear down Operational GCP Service Accounts)
Possible Solution
I believe this is just an ordering problem - iam-policy-bindings should be removed before deleting the Service Accounts so that they can still be referenced in the gcloud projects remove-iam-policy-binding
command.