I've searched all over the documentation and google without luck. I changedt he IAM permissions and granted the 'Cloud Composer v2 API Service Agent Extension' role to the Compute Engine default service account. I'm getting the following error:
CREATE operation on this environment failed x minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_GKE_CLUSTER_CREATING
description: "GKE cluster creation requested."
response_timestamp {
seconds:x
nanos:x
}
],
Related
I already have an environment running, but want to scale up the machine sizes. But keep getting a very similar error to this:
UPDATE operation on this environment failed 3 minutes ago with the
following error message:
Composer Backend timed out. Currently running tasks are [stage:
CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
response_timestamp {
seconds: 1618203503
nanos: 291000000
}
].
The gcp docs say that the service account doesn't have required permissions. I check required permissions also in the docs. My personal account and service already have the role Environment and Storage Object Administrator. And the service account already has the role Cloud Composer v2 API Service Agent Extension. I don't understand which permission am I missing.
Service account that the composer uses has roles:
Cloud Composer v2 API Service Agent Extension
Editor
Environment and Storage Object Administrator
Service Account User
And my personal account has roles:
Editor
Environment and Storage Object Administrator
Service Account User
Storage Admin
Viewer
I am trying to create basic Composer environment:
image version: 1.17.8/2.1.4
using service account with composer.worker permission
my own user has project.owner permission
public ip
All my attempts failed with following error:
Http error status code: 400
Http error message: BAD REQUEST
Errors in: [Web server]; Error messages:
The caller does not have permission
Required 'deploymentmanager.typeProviders.create' permission for 'projects/<my-project>/global/typeProviders/europe-west2-<name-id>-addons-gke-typer'
deploymentmanager.typeProviders.create is covered by Deployment Manager Type Editor, so I added this permission to both my account and service account, but the error remains the same.
Cloud Composer Service Agent account is present in the project without any modifications to its permissions.
Is there anything else I can check or something that I missed during the set up?
For an account (whether User Account or Service Account) to be able to create a Composer Environment, the account must have a composer.environments.create permission.
And according to Google Cloud's documentation on Cloud Composer Access Control,
The Composer Worker role provides the permissions necessary to run a Cloud Composer environment
VM and intended for service accounts.
The Composer Worker role is not intended for creation of environments thus, it does not have the composer.environments.create permission.
If you want your service account to be able to create a Composer environment, you will need to assign the role Composer Administrator and this has the composer.environments.create permission needed.
You may refer to Access Control for Cloud Composer for the complete list of permission for Composer Worker, Composer Administrator and other Composer related roles.
I am deploying a simple golang demo project in GCP.
I have already enabled App Engine Admin and Compute Instance Admin.
app.yaml:
runtime: go116
After I ran gcloud app deploy, error shows:
RROR: (gcloud.app.deploy) Error Response: [13] Failed to create cloud build: invalid bucket "xxxxx.cloudbuild-logs.googleusercontent.com"; builder service account does not have access to the bucket
com.google.net.rpc3.client.RpcClientException: <eye3 title='/ArgoAdminV1.CreateBuild, INVALID_ARGUMENT'/> APPLICATION_ERROR;google.devtools.cloudbuild.v1/ArgoAdminV1.CreateBuild;invalid bucket "803210166573.cloudbuild-logs.googleusercontent.com"; builder service account does not have access to the bucket;AppErrorCode=3;StartTimeMs=1639637376387;unknown;ResFormat=AUTOMATIC;ServerTimeSec=1.026818102;LogBytes=256;Non-FailFast;EndUserCredsRequested;EffSecLevel=none;ReqFormat=AUTOMATIC;ReqID=7d291fd45204c21b;GlobalID=0;Server=[2002:a17:512:234c:b0:42e:8669:5870]:4001.
How could I fix this error?
I managed to get this working by re-authenticating gcloud auth login.
Odd, as it was working fine with a different project, but maybe that will fix it for you.
I am trying to setup a trigger to deploy a repository (synced from Bitbucket), to Cloud Run when master branch is pushed.
The trigger is giving me the following warning:
Failed to trigger build: Permission 'cloudbuild.builds.create' denied on resource
After looking through GCP documentation I tried adding the Cloud Build Editor role to the service account that runs the trigger (https://cloud.google.com/build/docs/iam-roles-permissions), but I am still getting the same error.
Is there something aI am missing
Build triggers use the Cloud Build service account to create a build. The error above indicates that the Cloud Build service account is missing the cloudbuild.builds.create IAM permission, which is required for the service account to run a build trigger.
According to GCP documentation:
You can resolve this error by granting the Cloud Build Service Account IAM role to your default Cloud Build service account (ex. [PROJECT_NUMBER]#cloudbuild.gserviceaccount.com).
This also applies if you specified your own service account. It must have the Cloud Build Service Account role.
For instructions on granting this role, see Configuring access for Cloud Build service account.
I tried to deploy an OpenVPN Access Server to Google Compute Engines and received the following error message:
openvpn-access-server-1-vm: {"ResourceType":"compute.v1.instance","ResourceErrorCode":"EXTERNAL_RESOURCE_NOT_FOUND","ResourceErrorMessage":"The resource 'PROJECT_ID-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found."}
PROJECT_ID is just a placeholder for my own PROJECT_ID.
In the cloud console, I can't find the "compute engine default service account" (I think, I accidentally deleted it last year). In the log files, I found in 2020 it's ACCOUNT_ID, so I tried to undelete it with the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
I had no success, I received:
ERROR: (gcloud.beta.iam.service-accounts.undelete) NOT_FOUND: Not found; Not found AccountDataType for <numeric_id>
<numeric_id> was a 12-digit number.
I tried to disable and enable compute service to restore the default service account, but it wasn't successful, I received:
response:
'#type': type.googleapis.com/google.iam.admin.v1.ServiceAccount
serviceName: iam.googleapis.com
status:
code: 6
message: ALREADY_EXISTS
receiveTimestamp: '2021-08-05T06:45:55.798772716Z'
Because of this error, I tried to delete it, but this didn't work too.
Now I don't know what to do, to get the default service account back.
Is it still existing or not?
Why isn't it working?
Keep in mind, I'm talking about PROJECT_ID-compute#developer.gserviceaccount.com.
service-PROJECT_ID#compute-system.iam.gserviceaccount.com is existing and recreated each time I disable and enable the Compute Engine API again.
Thanks for helping.
Since the Service Account was deleted an year ago it cannot be undeleted using the following command,
gcloud beta iam service-accounts undelete ACCOUNT_ID
This only works for Service Accounts deleted fewer than 30 days ago. Undeleting a service account for more information.
Instead, we can create a new Service Account and grant an ‘Editor’ role to it. As a Default Compute Engine Service Account has the same role by default. Compute Engine default service account for more information.
Now, we can create a new Compute Engine VM using the new Service Account. Setting up a new instance to run as a service account for more information.
If we already have a running VM and the Service Account got deleted, As #John Hanley suggested, we can edit the VM instance in the Google Cloud Console and assign the new Service Account to the instance. Changing the service account and access scopes for an instance for more information.
To set the new Service Account as the Compute Engine Default Service Account on the project, we can use the following command,
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
Another workaround would be creating a new project and deploying our instance there.