GCP - User ... does not have permission to access projects instance - google-cloud-platform

I was using gcloud with a service account to try to figure out why my API Gateway endpoint didn't work when I ran into another problem. First I ran this export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential/fils/PROJECTNAME-hash.json. Then I ran gcloud services list --available and I got this in my terminal:
ERROR: (gcloud.services.list) User [<SERVICE ACCOUNT NAME>#<MY PROJECT NAME>.iam.gserviceaccount.com] does not have permission to access projects instance [<MY PROJECT NAME>] (or it may not exist): Permission denied to list services for consumer container [projects/<MY PROJECT ID>]
Help Token: <WHAT LOOKS LIKE AN API KEY>
- '#type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.services.list&resource=projects/<MY PROJECT NAME>
type: googleapis.com
- '#type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
permission: serviceusage.services.list
resource: projects/<MY PROJECT NAME>
service: cloudresourcemanager.googleapis.com
reason: AUTH_PERMISSION_DENIED
I believe I have the correct permissions enabled in my service account:
So why am I getting this error and how do I get gcloud services list --available to work with the selected service account?

This problem seemed to stem from the fact that I needed to set the service account to have the role of serviceusage.serviceUsageViewer. In order to do that I need to run the add-iam-policy-binding command but this command needs to be run with an account that has account owner/editor permissions.
Step 1 was to switch the account in gcloud to the master gmail account with which I signed up for GCP services.
I set my gcloud "account" to my master Gmail account with gcloud config set account <MASTER GMAIL ACCOUNT>. Then I ran:
gcloud projects add-iam-policy-binding <PROJECT ID> \
--member "serviceAccount:<SERVICE ACCOUNT>#<PROJECT ID>.iam.gserviceaccount.com" \
--role "roles/serviceusage.serviceUsageViewer"
That command succeeded. I set the gcloud account back to the service account with gcloud config set account <SERVICE ACCOUNT EMAIL> and then ran gcloud services list --available. This command worked this time.

Related

Cloud Asset API not enabled

Our project has enabled Cloud Asset Inventory API, I can view it from UI, but I get this permission error. I am the owner of the project.
➜ gcloud auth login
Your browser has been opened to visit:
---
You are now logged in as [myemail].
➜ gcloud asset export --content-type resource --project xxx --output-path "gs://export-resources-t/resources_updated.yaml" --format=yaml
Export in progress for root asset [projects/xxx].
Use [gcloud asset operations describe projects/xxx/operations/ExportAssets/RESOURCE/530109afbb66bdaf2be325e11897c83c] to check the status of the operation.
➜ gcloud beta resource-config bulk-export --resource-format=terraform --path output --project xxx
Exporting resource configurations to [output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.
As per this case When the destination is in the same project, the user doesn't need to grant additional permission/role to the built-in service account, it is only needed when the destination is in a different project.
If this is not your issue then try using this method. i.e.,
For this service account you should add the role 'roles/cloudasset.serviceAgent' (which has all the required permissions).
Run this: gcloud beta services identity create --service=cloudasset.googleapis.com --project=<project number>
The above command will create the needed identity, then copy the name of the service account identity created and use it with the following command to grant the required role:
gcloud beta projects add-iam-policy-binding <project_name> --member='serviceAccount:[Service_Account]' --role='roles/cloudasset.serviceAgent
Please replace the [Service_Account] with the actual service account identity created in the first command.
After performing the above steps, you will be able to run thegcloud beta resource-config bulk-export --project=<project_name> --resource-format=terraform command.
For more information follow this doc.

Enabling GCP cloudresourcemanager gcloud config joe.bloggs#googlemail.com account does not match GCP project owner role joe.bloggs#gmail.com

Trying to run:
gcloud services enable cloudresourcemanager.googleapis.com —project=$GOOGLE_CLOUD_PROJECT
I get the authorisation error:
Enabling the Cloud Resource Manager API for project xxxxxxxxx... ERROR: (gcloud.services.enable) User [joe.bloggs#googlemail.com] does not have permission to access project [xxxxxxxxx] (or it may not exist): Service '—project=xxxxxxxxx' not found or permission denied.
When I check the GCP policy troubleshooter it says that I have owner role in the project xxxxxxxxx. However you can see in GCP console my email address as joe.bloggs#gmail.com but in my gcloud config its joe.bloggs#googlemail.com. I have tried to change it to gmail.com in gcloud config and googlemail.com in project owner role but don't seem to be able to.
First set basic auth from your terminal:
gcloud auth application-default login
Then set the project like below:
gcloud config set project <put your project id>
Then create a service account with owner setup
gcloud iam service-accounts create sa-name \
--description="sa-description" \
--display-name="sa-display-name"
Here sa-description is an optional description for the service account.
sa-display-name is a friendly name for the service account.
project-id is the ID of your Google Cloud project.
Then add owner policy:
gcloud projects add-iam-policy-binding my-project-123 \
--member serviceAccount:sa-name#project-id.iam.gserviceaccount.com \
--role roles/owner
Then create the service account key:
gcloud iam service-accounts keys create ~/key.json \
--iam-account sa-name#project-id.iam.gserviceaccount.com
Then use this key:
export GCLOUD_APPLICATION_CREDENTIALS="~/key.json"
gcloud auth activate-service-account --key-file \
$GCLOUD_APPLICATION_CREDENTIALS
Then enable:
gcloud services enable cloudresourcemanager.googleapis.com —project=$GOOGLE_CLOUD_PROJECT
I understand there is an error in the gmail account used to login in gcloud, try using the "gcloud auth list" command to verify the account used in gcloud, you can then use the "gcloud auth revoke --all" command to logout from all acocunts in gcloud and after that try "gcloud auth login email#address.com" to relogin using the right account.
If the owner email is wrong in cloud console and you are still able to login with that account, just add another IAM role with the right account as owner in the IAM menu, and then you can delete the misspelled account if necessary

Cloud container clusters create `compute.networks.get` permission error

I am trying to create a cluster with GKE. I have a project I have been using already.
When I run
gcloud container clusters create cluster1
I get the following:
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.
The same thing happens when I use the web UI. Both my service account and my user have owner roles.
I have tried the following to get the cluster create command to work:
I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
--member serviceAccount:<my-user>#<my-project>.iam.gserviceaccount.com \
--role roles/compute.admin
I read enabling the container api service was required
gcloud services enable container.googleapis.com
Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>#<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
I also tried authenticating with my account user:
gcloud auth login
None of these work and I can't create a cluster
I think I will answer my own question here. From service account docs
When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.
Debug:
gcloud container subnets list-usable --project service-project --network-project shared-vpc-project
If you get warning in output:
WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED:
Google Compute Engine: Required 'compute.projects.get' permission for
'projects/shared-vpc-project'
It means your google managed gke service account in host project doesn't exist.
To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.
I think you should set the compute engine service account permission:
gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER]-compute#developer.gserviceaccount.com \
--role roles/compute.admin

Service account does not have storage.buckets.lists access to project while pushing images to GCR via Gitlab CI

I am using Gitlab CI to build docker images and to push them to GCR. My Script goes like this -
build:
image: google/cloud-sdk
services:
- docker:dind
stage: build
cache:
script:
- echo "$GCP_SERVICE_KEY" > gcloud-service-key.json # Google Cloud service accounts
- gcloud auth activate-service-account --key-file gcloud-service-key.json
- gcloud auth configure-docker --quiet
- gcloud config set project $GCP_PROJECT_ID
- echo ${IMAGE_NAME}:${IMAGE_TAG}
- PYTHONUNBUFFERED=1 gcloud builds submit -t ${IMAGE_NAME}:${IMAGE_TAG} .
only:
- master
and I am getting this error-
ERROR: (gcloud.builds.submit) HTTPError 403: <service account name>#<projectname>.iam.gserviceaccount.com does not have storage.buckets.list access to project <projectid>.
After giving service account Cloud Editor permissions, I am getting the error -
ERROR: (gcloud.builds.submit) User [<service account name>#<projectname>.iam.gserviceaccount.com] does not have permission to access b [<bucker_name>] (or it may not exist): <service account name>#<projectname>.iam.gserviceaccount.com does not have storage.buckets.get access to <bucket_name>
What all permissions do I have to give to service account to achieve so?
From the error:
<service account name>#<projectname>.iam.gserviceaccount.com
does not have storage.buckets.list access to project <projectid>
I suspect that <projectname> and <projectid> refer to 2 different projects.
The project that owns the service account (<projectname>) may well have storage.[buckets|objects].* permissions but these will apply to the GCS resources controlled by <projectname> and not to those controlled by <projectid>.
NB Yes, it's confusing to see projects referenced by different types of keys but, to confirm, compare the ProjectID of <projectname> with <projectid>. Replace <projectname> with its value in the below to retrieve the ProjectID:
gcloud projects list --filter="name=<projectname> --format="value(projectId)"
There are 2 approaches to permitting identities to access GCS resources. The first is (as above) to create these at the project level. The second is to apply these to specific buckets.
See the link below for guidance. It's for Cloud Build's service account but the principle is the same. The service account (in project <projectname>) needs to have access to the GCS resources in <projectid>:
https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions#push_private_images_to_others

How do I entitle serviceAccounts via gcloud command-line for Kubernetes API access?

I'm trying to automate creation of service accounts for use with GKE via the gcloud command-line tool. I've figured out a flow that appears to mirror the process used by the Google Cloud Console, but my users don't see to receive the appropriate access.
Here's the commands I'm executing in order:
# Environment:
# - uname=<username>
# - email=<user's email address>
# - GCLOUD_PROJECT_ID=<project identifier>
# - serviceAccount="${uname}#${GCLOUD_PROJECT_ID}.iam.gserviceaccount.com"
$ gcloud iam service-accounts \
create "${uname}" --display-name "email:${email}" --format json
$ gcloud projects \
add-iam-policy-binding "${GCLOUD_PROJECT_ID}" \
--member "serviceAccount:${serviceAccount}" \
--role=roles/container.developer --format=json
$ gcloud iam service-accounts keys \
create "${GCLOUD_PROJECT_ID}-${uname}.json" \
--iam-account="${serviceAccount}"
When this executes, it creates a new service account and generates a key file locally. I then try to use this key to get credentials for my Kubernetes cluster.
$ gcloud config configurations create devcluster --activate
$ gcloud config set project devnet-166017
$ gcloud config set compute/zone us-central1-b
$ gcloud auth activate-service-account \
--key-file="${GCLOUD_PROJECT_ID}-${uname}.json"
$ gcloud container clusters get-credentials devcluster
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: \
code=403, message=Required "container.clusters.get" permission for \
"projects/${GCLOUD_PROJECT_ID}/zones/us-central1-b/clusters/devcluster".
It appears that for some reason my service account doesn't have one of the permissions it needs to get credentials, but based on what I've read and what I've observed in the Console, I believe this permission should be part of the roles/container.developer role.
Thanks!
I assume by service account, you mean the Service Account for Google Cloud. Here are the IAM roles related to GKE: https://cloud.google.com/container-engine/docs/iam-integration (search for container.).
First create a service account:
gcloud iam service-accounts create --display-name "GKE cluster access" gke-test
Then create a key:
gcloud iam service-accounts keys create key.json --iam-account=gke-test#[PROJECT_ID].iam.gserviceaccount.com
Now you need to assign some roles to this service account, your options are:
roles/container.admin Full management of Container Clusters and their Kubernetes API objects.
roles/container.clusterAdmin Management of Container Clusters.
roles/container.developer Full access to Kubernetes API objects inside Container Clusters.
roles/container.viewer Read-only access to Container Engine resources.
Again look at https://cloud.google.com/container-engine/docs/iam-integration page for details.
I assign roles/container.viewer (a read-only role, minimum you can assign to get-credentials) to this service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] --role=roles/container.viewer --member=serviceAccount:gke-test#[PROJECT_ID].iam.gserviceaccount.com
Logout on gcloud from your current account:
gcloud auth revoke
Login to gcloud with the service account key:
gcloud auth activate-service-account --key-file=key.json
Try get-credentials:
$ gcloud container clusters get-credentials test --zone us-west1-a
Fetching cluster endpoint and auth data.
kubeconfig entry generated for test.
It works. I tried it with roles/container.developer, which also works.
You can try other permissions and see what works and what doesn't, although you made it clear that the documentation doesn't make it clear which roles have access to container.clusters.getCredentials.