Background:
I have a Shared VPC project called SharedVPC with a network network01 and a subnet serverless-subnet01: 10.200.12.0/28
The Shared VPC Project shares its networks and subnets with another project project1
Nothing else is using serverless-subnet01
All resources in both projects are in us-central1
I have the owner role in both projects
vpcaccess.googleapis.com is enabled in project1
The issue:
I want to create a Serverless VPC Access Connector in project1 using network01 and serverless-subnet01, but when trying to follow the documentation to create a connector, the following error occurs after clicking "create" with us-central1 as the region, network01 as the network, and serverless-subnet01 as the subnet:
Operation failed: VPC Access did not have permission to resolve the subnet or the provided subnet does not exist.
I have attempted to apply the troubleshooting steps in the documentation, with the following results:
There is no such account with a name like service-PROJECT_NUMBER#gcp-sa-vpcaccess.iam.gserviceaccount.com or the role of roles/vpcaccess.serviceAgent in either project1 or SharedVPC Edit: there is an account in SharedVPC with the name service-SharedVPC_PROJECT_NUMBER#gcp-sa-vpcaccess.iam.gserviceaccount.com, but it is only visible through gcloud commands and adding the appropriate roles to it does not fix the issue.
No network overlaps with serverless-subnet-01,
There are no firewall rules with a priority over 1000 that denies ingress
The solution was that there was a vpc access service account for project1, but it was only visible through gcloud commands rather than the console. This account needs the roles/vpcaccess.serviceAgent role in the shared vpc project in order to access the subnet.
Related
I am writing terraform file in GCP to create a shared vpc, GKE, compute engine in the service project of shared vpc.
I am facing an error for GKE saying error
403 permission error service.hostagent even though it has required permissions.
And also I am using service account key. Not sure whether it's correct approach like I created service account in host project and I added that service account id in the iam of service project. Using host project service key. Is that right approach?.
Thanks.
While creating a shared VPC, sharing the subnet from host project to service project allows all the members mentioned in the service account of the service project.
From the error message, it looks like IAM permissions are missing. While creating a shared VPC with GKE, make sure that you have following permissions:
To create a shared VPC, a shared VPC admin role is required(which you seemingly already have).
To share your subnets, you need to give users the Compute Network User role.
While creating GKE configuration, make sure to enable Google Kubernetes Engine API in all projects. Enabling the API in a project creates a GKE service account for the project.
When attaching a service project, enabling Kubernetes Engine access grants the service project's GKE service account the permissions to perform network management operations in the host project.
Each service project's GKE service account must have a binding for the Host Service Agent User role on the host project. This role is specifically used for shared VPC clusters which include the following permissions:
a) compute.firewalls.get
b) container.hostServiceAgent.*
For additional information, you can see here.
When trying to associate a VPC connector in a service project with a shared VPC subnet in another project (From the same organization) the following error appears:
Unknown error. Original error message: Operation failed: VPC Access did not have permission to resolve the subnet or the provided subnet does not exist.
We tried past what is acceptable for permission propagation as pointed in this other post: GCP Shared VPC : a subnet is not shared from host project to service project, we definitely waited more than 20min and the error persisted.
To create a Serverless VPC Access Connector using a Shared VPC first create the subnet in the Host Project of a Shared VPC with CIDR 28, there has to be a unique subnet for each Connector.
Then follow Googles Documentation Configuring the host project if using Shared VPC, specifically the following sections.
1. Create Firewall Rules
we have to also create firewall rules to allow requests from the following IP ranges to reach the connector and to be reached by the connector:
NAT ranges
107.178.230.64/26 and
35.199.224.0/19
Health check ranges
130.211.0.0/22,
35.191.0.0/16 and
108.170.220.0/23
2. Grant Permissions
Also for each service project that will use VPC Connectors, a Shared VPC Admin must grant the Compute Network User role (compute.networkUser) in the host project to the service project cloudservices and vpcaccess service accounts.
How to enable VPC access for AWS CodeBuild/Code Pipeline?
I am working on the Neptune database and it requires VPC to access. While building code inside AWS CodeBuild. My tests are failing because it's not able to access the Neptune database. How can I configure the pipeline to allow CodeBuild to access the VPC?
This AWS Documentation guide will help you to configure your Code Build Project with your VPC.
But I am sure, you must have gone through it. Please share the error as well.
Link
Select environments from your CodeBuild project settings and in the advanced setting section you can select VPC, subnet and security group for your project.
For Subnets, choose a private subnet that has routes to your db. If internet access required, NAT gateway must be attached in the route table of private subnet. CodeBuild only works with Nat not with public subnet for internet access.
Be sure you have enabled AWS IAM authentication on your Neptune database config. You then need to allow the role you are running CodeBuild under to access that Neptune database. you will then be able to access it. Assuming it is an IAM error, please post more information if this is not the case. You will need to ensure the role you run as has the correct permissions to query Neptune.
There are detailed documents here on how to do this.
You can assign a managed policy to your role the following are available
NeptuneReadOnlyAccess
NeptuneFullAccess
NuptuneConsoleFullAccess <-- not really applicable to a CI process.
I'm running a terraform .tf script to create aws_vpc_endpoint
Here is examply code
resource "aws_vpc_endpoint" "NewVPCEndpoint" {..}
However, upon invoking terraform apply, I am getting error
Error creating VPC Endpoint: UnauthorizedOperation: This operation does not support shared VPCs.
status code: 403
What reason exactly am I getting this error?
I have tried the same exact .tf script in a different VPC and it worked fine.
Is this a setting with the VPC itself? What setting might this be exactly?
With respect to the VPC and subnets, what are the prerequisite attributes/settings of the VPC/Subnets in order for
resource "aws_vpc_endpoint" "NewVPCEndpoint"
To succeed?
A VPC can be a Shared VPC at which point it won't support deploying a VPC Endpoint Service:
VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and AWS Lambda functions, into shared, centrally-managed Amazon Virtual Private Clouds (VPCs). In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.
The fix is to deploy a separate VPC (not shared) and set up VPC peering with the shared VPC. Then you can deploy the VPC Endpoint Service within the non-shared peered VPC and access it from the shared VPC from all participating accounts.
Is there a way to share a specific subnet of a Shared VPC to a project?
Right now, when I share the subnets of a Shared VPC, I can only specify which subnets to share and which projects to share with and then all the shared subnets show up in each project.
I would like to share shared-subnet-1 to project-1 and shared-subnet-2 to project-2 but I don't want shared-subnet-1 to show up in project-2 and vice versa.
Shared VPC makes use of Identity and Access Management (IAM) roles for delegated administration access. With Project-level permissions and subnet-level permission, a shared VPC admin can grant permission to use the whole host project or just some/specific subnets, for details check this GCP documentation. Based on this, using a more granular IAM roles it is possible to grant access to specific resource(s) only.
Directions detail on how to modify the configuration of an existing host project, can be found in this article (step#7 VPC network sharing mode section). In addition to that the same GCP article also describes how to define an IAM role for:
Service Project Admins for all subnets
Service Project Admins for some subnets
Service Accounts as Service Project Admins