I'm trying to create a GKE Cluster through Terraform. Facing an issue w.r.t service accounts. In our enterprise, service accounts to be used by Terraform are created in a project svc-accnts which resides in a folder named prod.
I'm trying to create the GKE cluster in a different folder which is Dev and the project name is apigw. Thro Terraform, when I use a service account with the necessary permissions reside in the project apigw, it works fine.
But when I try to use a service account with the same permissions where the service account resides in a different folder, getting this error
Error: googleapi: Error 403: Kubernetes Engine API has not been used in project 8075178406 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/container.googleapis.com/overview?project=8075178406 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
where 8075178406 is the project number of svc-accnts
Why does it try to enable the API in svc-accnts when the GKE cluster is created in apigw. Are service accounts not meant to used across folders?
Thanks.
The error you provide is not about permissions of the service account. Maybe you did not change the project in the provider? Remember, you can have multiple providers of the same type (google) that point to different projects. Some code example would provide more information.
See:
https://medium.com/scalereal/how-to-use-multiple-aws-providers-in-a-terraform-project-672da074c3eb (this is for AWS, but same idea)
https://www.terraform.io/language/providers/configuration
Looks like this is a known issue and happens through gcloud cli as well.
https://issuetracker.google.com/180053712
The workaround is to enable the Kubernetes Engine API on the project(svc-accnts) and it works fine. I was hesitant to do that as I thought this might create the resources in the project.
Related
I try to run cloud deploy on existing project where also run Cloud Build and
I have the following error:
targetRenders:
qsdev:
failureCause: CLOUD_BUILD_UNAVAILABLE
renderingState: FAILED
I try to use this article when I try to run a cloud deploy on a new empty project everything works as expected.
I understand that the problem is with the permissions but can’t find where exactly.
I used this help
What could be the problem?
As shown in the FailureCause documentation, this error is caused by insufficient permissions.
CLOUD_BUILD_UNAVAILABLE: Cloud Build is not available, either because it is not enabled or because Google Cloud Deploy has insufficient permissions. See Required permission.
In the required permission documentation, it shows some troubleshoot steps to follow in order to ensure that the correct permissions are set:
The service account used for rendering configurations must have sufficient permissions to access the Cloud Storage bucket where your Google Cloud Deploy resources are stored (delivery pipelines, releases, rollouts).
The role roles/clouddeploy.jobRunner includes all permissions the render service account (privatePool or defaultPool) needs.
The service account used for deploying must have sufficient permissions to deploy to the target cluster, and permission to access the Cloud Storage bucket.
Note: If you use a custom Cloud Storage bucket, you can put it anywhere. (It doesn't need to be in the same region, for example, as the delivery pipeline.)
The service account that calls Google Cloud Deploy to create a release must have the clouddeploy.releaser role. It must also have the iam.serviceAccount.actAs permission to use the service account that renders manifests (for example through the roles/iam.serviceAccountUser role).
The service account that calls Google Cloud Deploy to promote a release or create a rollout must have the iam.serviceAccount.actAs permission to use the service account that deploys to targets.
New to GCP and use IAC for our Terraform. I've managed to build most of the initial organisation config in Terraform no problem with the exception of Cloud Identity and Organisation Policies. I'm using gcloud provided login credentials. Whenever I try to build for those two services I get this:
Error creating Group: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the cloudidentity.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
So in this case i'm using the Google Cloud SDK, so the error makes sense. However, the two options it presents don't work:
Setting a quota project makes no difference
I can't create a service account at the organisational level (and when I create one within a project it can't configure these organisational level constructs)
So how do I go about Terraforming these services?
Thanks.
We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!
I receive an error message while attempting to deploy anything from the marketplace into a specific GCP project.
You must have a valid default service account in order to create a
deployment, but this account could not be detected. Contact support
for help restoring the account.
Things I've Tried:
Every VM from the marketplace shows the same error message
I can deploy regular VM instance
I can see there is an enabled service account for the project with the name "Compute Engine default service account".
I am able to deploy VM's from the marketplace into other projects under the same organization
I've contacted GCP Billing support and they cannot find anything wrong from a billing perspective
Researching online shows that others that have had this issue have just rebuilt the project. It appears that service account is created by default when the project is spun up.
I'm hoping there is another way around it as this project is a host for a shared VPC deployment. There are already other projects with deployed VM's that are utilizing the host projects networks.
Thank you!
Looks like you deleted a default service account.
As mentioned in one comment some can be recreated by disable/enable the corresponding API
Below are the default service accounts I have in my project, hope it helps you to find the root cause. (these service accounts let me deploy a wordpress solution depending on what you are trying to deploy you might need more service accounts)
PROJECT-NUMBER-compute#developer.gserviceaccount.com Compute Engine
default service account
PROJECT-NUMBER#cloudservices.gserviceaccount.com Google APIs Service
Agent
PROJECT-ID#appspot.gserviceaccount.com App Engine default service
account
service-ORG-ID3#gcp-sa-cloudasset.iam.gserviceaccount.com Cloud Asset
Service Agent
service-PROJECT-NUMBER#cloud-ml.google.com.iam.gserviceaccount.com Google
Cloud ML Engine Service Agent
service-PROJECT-NUMBER#compute-system.iam.gserviceaccount.com Compute
Engine Service Agent
service-PROJECT-NUMBER#container-engine-robot.iam.gserviceaccount.com Kubernetes
Engine Service Agent
service-PROJECT-NUMBER#containerregistry.iam.gserviceaccount.com Google
Container Registry Service Agent
service-PROJECT-NUMBER#dataflow-service-producer-prod.iam.gserviceaccount.com Cloud
Dataflow Service Account
service-PROJECT-NUMBER#service-networking.iam.gserviceaccount.com Service
Networking Service Agent
The service account was intact and had the same permissions as other service accounts for working projects.
We purchased and opened a case with GCP technical support. After a little more than a week of them troubleshooting the issues, they determined there was no way to correct the problem. Their root cause was that something happened during the initial project deployment that caused some backend configuration issues. For what its worth, the project was deployed using Terraform, but its uncertain if that was a factor.
After recreating the host project, we were able to deploy from the marketplace again successfully.
If you run into this problem, save yourself the hassle and time and just recreate the project.
I am trying to create a Container Cluster in Google Container Engine using the console (UI).
I am getting the below error while creating a cluster of size - 3 of machine type "n1-standard-1"
"xxxxxxxxxxx#cloudservices.gserviceaccount.com" does not have edit permissions on project "xxxx-xxxxxx-xxxxxx".
I have already enabled the API's related to Container management :-
Google Cloud Container Builder API
Google Container Engine API
Also, I haven't created a service account as given in the error "xxxxxxxxxxx#cloudservices.gserviceaccount.com" . I don't know about this service-account? what is this used for? and who created it?
Though I have another service account, which is different from the one shown in error, it has all the edit permissions to my project.
The xxxxxxxxxxx#cloudservices.gserviceaccount.com is the service account that Google Container Engine uses to create the resources for your cluster. You'll need to make sure that it has "Editor" role in the permissions section of your GCP project.