Task to delete GCP Service Accounts Policies fails when SA doesn't exist
jimright opened this issue · comments
Details
The task which removes GCP Service Account policies task which uses a gcloud command now fails when the Service Account does not exist. There is a failed_when
condition on this task which should prevent this happending:
cloudera.exe/roles/platform/tasks/teardown_gcp_authz.yml
Lines 54 to 62 in c211d37
This task uses the gcloud projects remove-iam-policy-binding
command and it seems the the error message for a non-existent SA has changed slightly:
cldr full-v1.5.4 #> gcloud projects remove-iam-policy-binding <GCP_ACCOUNT> --member=serviceAccount:jenright-audit-identity@<GCP_ACCOUNT>.iam.gserviceaccount.com --role=roles/storage.objectAdmin --all
ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!
Possible Solution
Change the failed_when
condition on the Tear down Operational GCP Service Accounts Policies to catch the new error message.