I’m trying to create a cluster in GKE project-1 with shared network of project-2.
Roles given to Service account:
project-1: Kubernetes Engine Cluster Admin, Compute Network Admin
project-2: Kubernetes Engine Service Agent, Compute Network User
Service Account is created under project-1.
API & Services are enabled in both Projects.
But I am getting this error persistently.
Error: googleapi: Error 403: Kubernetes Engine Service Agent is missing required permissions on this project. See Troubleshooting | Google Kubernetes Engine (GKE) | Google Cloud for more info: required “container.hostServiceAgent.use” permission(s) for “projects/project-2”., forbidden
data "google_compute_network" "shared_vpc" { name = "network-name-in-project-2" project = "project-2" } data "google_compute_subnetwork" "shared_subnet" { name = "subnet-name-in-project-2" project = "project-2" region = "us-east1" } # cluster creation under project 1 # project 1 specified in Provider resource "google_container_cluster" "mowx_cluster" { name = var.cluster_name location = "us-east1" initial_node_count = 1 master_auth { username = "" password = "" client_certificate_config { issue_client_certificate = false } } remove_default_node_pool = true cluster_autoscaling { enabled = false } # cluster_ipv4_cidr = var.cluster_pod_cidr ip_allocation_policy { cluster_secondary_range_name = "pods" services_secondary_range_name = "svc" } network = data.google_compute_network.shared_vpc.id subnetwork = data.google_compute_subnetwork.shared_subnet.id }