Velero installation failing from a VM host in GCP

I am trying to install velero on a GKE Cluster from a GCP Compute Engine Host using below steps

https://github.com/vmware-tanzu/velero-plugin-for-gcp

I am installing velero from the VM host using below command

 velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero

but it is failing with below error

Error installing Velero. Use `kubectl logs deploy/velero -n velero` to check the deploy logs:
Error creating resource ClusterRoleBinding/velero: clusterrolebindings.rbac.authorization.k8s.io is forbidden: 
User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s)  

To resolve this error , I am trying with this

  kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user velero

but this too failing with below error

error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "116865650821658545991" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope: requires one of ["container.clusterRoleBindings.create"] permission(s).

Two queries for the above scenario

  1. Is it correct to create clusterrolebinding resource to resolve the error I am seeing while installing velero ?

  2. How to identify the corresponding user for "116865650821658545991" as seen in second error and what role needs to be assigned to create clusterrolebinding resource ?


Solution 1:

This is resolved now.

I identified the service account used by VM using

   $ gcloud config list
   [core]
   account = [email protected]

After that we assigned the role "Kubernetes Engine Admin" to the above Service account and installed velero using below command successfully

VELERO_BUCKET=gkevelerobackup
velero install --provider gcp --plugins velero/velero-plugin-for-gcp:v1.1.0 --bucket ${VELEROBUCKET} --secret-file ./credentials-velero