Hi !

I've been trying to give access to a single GKE cluster inside a project using only IAM permissions (no RBAC), for the example let's use roles/container.admin

I found no way to grant an IAM Binding directly to the cluster (neither in console or in terraform) so I fallbacked to giving a project-wide grant with the following IAM condition :

resource.name == 'projects/project-id/locations/location/clusters/cluster1'

Doing so I can indeed retrieve credentials on "cluster1" however any action on the cluster isn't working. For example trying to list pods fails with :

User cannot list resource "pods" in API group "" in the namespace "default": requires one of ["container.pods.list"] permission(s)".

I figure the resource checked by GKE is not a cluster anymore and doesn't match the IAM condition, but I have not seen anywhere what it could be else.
Note that an IAM condition on a tag applied to the cluster seem to be working (as tags apply to all child resources) but isn't really pratical to my use case...

Do you have any insight on how to grant IAM rights to a specific cluster using only IAM ?

Thanks a lot