Our project has enabled Cloud Asset Inventory API, I can view it from UI, but I get this permission error. I am the owner of the project.
➜ gcloud auth login
Your browser has been opened to visit:
---
You are now logged in as [myemail].
➜ gcloud asset export --content-type resource --project xxx --output-path "gs://export-resources-t/resources_updated.yaml" --format=yaml
Export in progress for root asset [projects/xxx].
Use [gcloud asset operations describe projects/xxx/operations/ExportAssets/RESOURCE/530109afbb66bdaf2be325e11897c83c] to check the status of the operation.
➜ gcloud beta resource-config bulk-export --resource-format=terraform --path output --project xxx
Exporting resource configurations to [output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.
As per this case When the destination is in the same project, the user doesn't need to grant additional permission/role to the built-in service account, it is only needed when the destination is in a different project.
If this is not your issue then try using this method. i.e.,
For this service account you should add the role 'roles/cloudasset.serviceAgent' (which has all the required permissions).
Run this: gcloud beta services identity create --service=cloudasset.googleapis.com --project=<project number>
The above command will create the needed identity, then copy the name of the service account identity created and use it with the following command to grant the required role:
gcloud beta projects add-iam-policy-binding <project_name> --member='serviceAccount:[Service_Account]' --role='roles/cloudasset.serviceAgent
Please replace the [Service_Account] with the actual service account identity created in the first command.
After performing the above steps, you will be able to run thegcloud beta resource-config bulk-export --project=<project_name> --resource-format=terraform command.
For more information follow this doc.
Related
I am attempting to deploy a Cloud Run service from source from a GitLab CI pipeline. I can deploy it manually, with my own credentials, but am struggling to give the right credentials to the CI pipeline to get it to deploy.
These are the commands in my pipeline:
gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
gcloud run deploy api --source=./api/ --region=us-cental1
CLOUD_RUN_CREDENTIALS is a pipeline file variable that contains the key for a service account I have created for this purpose. The service account has the following roles:
Cloud Build Editor role
Artifact Registry Admin role
Storage Admin role
Cloud Run Admin role
Service Account User role
In the Cloud Build settings I have enabled Cloud Run Admin and Service Account User.
When I run this GitLab job, I get the following error:
$ gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
Activated service account credentials for: [XXXXXXXXXXX#XXXXXXXXXX.iam.gserviceaccount.com]
$ gcloud run deploy api --source=./api/ --region=us-cental1
ERROR: Error in retrieving repository from Artifact Registry.
ERROR: (gcloud.run.deploy) INVALID_ARGUMENT: Request contains an invalid argument.
Is this a permissions issue? What permissions do I need to give this service account to allow the deployment to succeed? If not, what am I doing wrong?
If you use the Build from Source feature. The Cloud Build Service Account is the one used to perform certain actions, like pulling and pushing images from Artifact Registry.
You have to grant the Cloud Build Service account (the one called PROJECT_NUMBER#cloudbuild.gserviceaccount.com) the required permissions.
Go to IAM, look for the Cloud Build Service Account and grant it the permissions you listed above. That should solve the issue.
The Service Account used from GitLab doesn't need all these permissions. Cloud Run Admin should be enough
I want to create image with packer build command but when I do that I face this error :
googlecompute: * The user does not have access to service account 'service-76100000418#compute-system.iam.gserviceaccount.com'. User: 'farzin-second-test-project#farzin-second-test-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
I have added the service account user role and compute admin and Compute Instance Admin (v1) to my service account.
Also I enabled the compute API ,but in my virtual box I used centos, and here I use this packer build which does not work properly.
There I create one file with name credentials and put json key in there, and also I make my packer template, I should also say my template is validated.
Does anybody have any Idea? The odd thing is it asks me to give this permission to the user, but still it is not working after adding that.
You have to enable all fallowing API's on your GCP account:
gcloud services enable sourcerepo.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable storage-api.googleapis.com
Also make sure your service account has the proper permissions (and you are using a proper account):
CLOUD_BUILD_ACCOUNT=$(gcloud projects get-iam-policy $PROJECT --filter="(bindings.role:roles/cloudbuild.builds.builder)" --flatten="bindings[].members" --format="value(bindings.members[])")
gcloud projects add-iam-policy-binding $PROJECT \
--member $CLOUD_BUILD_ACCOUNT \
--role roles/editor
You may also have a look at the documentation : Building VM images using Packer and Create a Cloud Build image factory using Packer.
I am trying to create a cluster with GKE. I have a project I have been using already.
When I run
gcloud container clusters create cluster1
I get the following:
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.
The same thing happens when I use the web UI. Both my service account and my user have owner roles.
I have tried the following to get the cluster create command to work:
I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
--member serviceAccount:<my-user>#<my-project>.iam.gserviceaccount.com \
--role roles/compute.admin
I read enabling the container api service was required
gcloud services enable container.googleapis.com
Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>#<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
I also tried authenticating with my account user:
gcloud auth login
None of these work and I can't create a cluster
I think I will answer my own question here. From service account docs
When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.
Debug:
gcloud container subnets list-usable --project service-project --network-project shared-vpc-project
If you get warning in output:
WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED:
Google Compute Engine: Required 'compute.projects.get' permission for
'projects/shared-vpc-project'
It means your google managed gke service account in host project doesn't exist.
To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.
I think you should set the compute engine service account permission:
gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER]-compute#developer.gserviceaccount.com \
--role roles/compute.admin
I am trying to deploy node js app on google cloud but getting following error -
Step #1: ERROR: (gcloud.app.deploy) Permissions error fetching application [apps
/mytest-240512]. Please make sure you are using the correct project ID and that
you have permission to view applications on the project.
I am running following command -
gcloud builds submit . --config cloudbuild.yaml
My cloudbuild.yaml file looks like -
steps:
#install
- name: 'gcr.io/cloud-builders/npm'
args: ['install']
#deploy
- name: 'gcr.io/cloud-builders/gcloud'
args: ['app', 'deploy']
The default Cloud Build service account does not allow access to deploy App Engine. You need to enable the Cloud Build service account to perform actions such as deploy.
The Cloud Build service account is formatted like this:
[PROJECT_NUMBER]#cloudbuild.gserviceaccount.com
Go to the Google Cloud Console -> IAM & admin -> IAM.
Locate the service account and click the pencil icon.
Add the role "App Engine Deployer" to the service account.
Wait a couple of minutes for the service account to update globally and then try again.
I had this same error today and the way I resolve it was by running: $ gcloud auth login on the console.
This will open a new browser tab for you to login with the credentials that has access to the project you're trying to deploy.
I was able to deploy to gcloud after that.
ps.: I'm not sure this is the best approach, but I'm leaving this as a possible solution as this is how I usually go around this problem. Worst case, I'll stand corrected and learn something new.
The most common way to deploy an app to App Engine is to use gcloud app deploy ....
When you use gcloud app deploy against App Engine Flex, the service uses Cloud Build.
It's entirely possible|reasonable to use Cloud Build to do your deployments too, it's just more involved.
I've not tried this but I think that, if you wish to use Cloud Build to perform the deployment, you will need to ensure that the Cloud Build service account has permissions to deploy to App Engine.
Here's an example of what you would need to do, specifically granting Cloud Build's service account the correct role.
Two commands can handle the perms needed (run in your terminal if you have gcloud sdk installed and authenticated or run in cloud shell for your project):
export PROJECT_ID=[[put your project id here]]
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud iam service-accounts add-iam-policy-binding ${PROJECT_ID}#appspot.gserviceaccount.com \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT_ID}
```
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/appengine.appAdmin
I have a machine that needs to run the following gcloud command:
gcloud projects list --format=json
The output error that gives me:
ERROR: (gcloud.projects.list) PERMISSION_DENIED: Request had insufficient authentication scopes.
Is pretty obvious that the current configuration and account set for the machine do not have the permissions.
Funny that when I use gcloud compute instances list --project=<project_ID> --format=json
It gives me a list of the machines listed in the project I specify.
I enabled the Google Resource Manager API
I even created some service account credentials and activated them in the machine. Still the same error.
In the SDK documentation there is no reference on how to enable credentials to see other projects
Anyone had this issue before? I saw outdated questions whose solutions didn't work out for me.
Edit
I should mention that the machine in question is a GCE instance and there is no way (unless I install manually the SDK, which is a mess I am not going to get into) to update the SDK.
Cloud API access scopes are set manually and there is no mention of the "Resource Manager" and i can't seem to add or remove any new API Accesses
According to this document, gcloud projects list shows all the active projects were the account has the Owner, Editor or Viewer project level role. As long as the service account you activated in your instance has one of those roles in a gcp project, you should be able to run the command.
For example, from your cloud shell grant the viewer role to your service account:
gcloud projects add-iam-policy-binding <your_project_id> \
--member serviceAccount:<your_service_account> --role roles/viewer
Activate the service account in your instance using the json key file:
gcloud auth activate-service-account --key-file=/path/key.json
Run the projects list command:
gcloud projects list --format=json