1. Create a Service Account

gcloud iam service-accounts create least-gke-test --project fcr-it
# create a new role 
gcloud iam roles create least-role --quiet \
--project "fcr-it"                                                           \
--file "custom-role.yaml"

2. Grant a role on SA

add roles/container.clusterAdmin on SA first

permission “setIamPolicy” required

gcloud projects add-iam-policy-binding fcr-it --member serviceAccount:"least-gke-test@fcr-it.iam.gserviceaccount.com" --role projects/fcr-it/roles/leastrole

3. Revoking access from SA

then grant another one

gcloud projects remove-iam-policy-binding fcr-it --member serviceAccount:"least-gke-test@fcr-it.iam.gserviceaccount.com" --role roles/container.clusterAdmin

gcloud projects add-iam-policy-binding fcr-it --member serviceAccount:"least-gke-test@fcr-it.iam.gserviceaccount.com" --role roles/container.developer

4. Get credential from GKE cluster

gcloud container clusters get-credentials simple-gke-cluster --zone europe-west2-b

Roles/Permission

RolesGet Credential
container.clusterAdmintrue
container.developertrue

Reference

google kubernetes engine roles

iam modify policy member gcloud