From 9038eeda43a5e279ae3dfe24f910fadf9240260b Mon Sep 17 00:00:00 2001
From: Henry Suryawirawan <henry.ken@gmail.com>
Date: Fri, 28 Jun 2019 11:13:20 +0700
Subject: [PATCH] Add IAM policy binding for Service Account User

Setting up a new cluster per test requires Cloud Build SA to have Service Account User role.
---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 7c15dea..db8c11f 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,10 @@ gcloud builds submit --config=cloudbuild.compose.yaml .
     gcloud projects add-iam-policy-binding <PROJECT-ID> \ 
     --member serviceAccount:<PROJECT-NUMBER>@cloudbuild.gserviceaccount.com \
     --role roles/container.admin
+    
+    gcloud projects add-iam-policy-binding <PROJECT-ID> \ 
+    --member serviceAccount:<PROJECT-NUMBER>@cloudbuild.gserviceaccount.com \
+    --role roles/iam.serviceAccountUser
     ```
 
     Learn more about the [Cloud Build Service Account](https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions#what_is_the_service_account), [Kubernetes Engine Permissions](https://cloud.google.com/kubernetes-engine/docs/how-to/iam) and [Granting Roles to Service Accounts](https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource).