similar question: Error on google function deploy, service account doesn't exist but I didnt delete anythin so no ans applies to me
I am following the guide https://cloud.google.com/python/django/flexible-environment
in step https://cloud.google.com/python/django/flexible-environment#store-secret-values-in-secret-manager Configure access to the secret:
however by look into IAM page(with Include Google-provided role grants ),
I discover service account PROJECT_ID#appspot.gserviceaccount.com doesn't exist
how to restore this default account? even if I start a new project, this default account still not there.
I have try to initize a computer engine, the service account is in format projectID-compute#developer.gserviceaccount.com but not in PROJECT_ID#appspot.gserviceaccount.com
turns out that the projects need to have some app engine created in order for that service account to be created
Related
I am trying to add a service account to my cloud run service. However, there is a message that "No service account with required permissions available."
I'm not sure if this is related to my user's credentials, or something else. This project has the default compute service account, as well as additional service accounts.
I can't find anything related in the documentation regarding this.
Would appreciate any insight you have on this issue!
Yes, I think that's probably (!?) what's occurring.
I assume that you're using Cloud Console and trying to Create a Cloud Run service.
I was able to add a minimally-roled user to an existing project and, when trying to create a Cloud Run service, I observe the same behavior that you're seeing.
How do you know that the project contains Service Accounts? I assume that your permissions are similarly restricted in eumerating these.
The permissions required to set a service account are described here. You need service account user permissions on the project or specific service account in order to set it on a deploy.
I've deleted the default service account and it has been longer than 30 days. I don't know if it applies to all marketplace solutions, but the one that I want to use can't be launched without the compute engine default service account.
What are the IAM permissions I need to set to create a service account that has the same permissions as the compute engine default service account to launch VM from marketplace?
I tried Compute Admin, compute.imageUser and Compute Instance Admin, but to no avail.
In addition to that, why does the marketplace solution require the default service account when it is recommended to disable/remove the default compute engine service account because of the editor role?
What is the compute engine default service account?
By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Cloud Console. This service account is only deleted when the project is deleted. However, you can change the roles granted to this account, including revoking all access to your project.
Documentation
You can undelete a service account only if it is deleted fewer than 30 days ago.
Instead of that, we can create a new service account and grant an ‘Editor’ role to it, as a default compute engine service account has the same role by default. Refer to Compute Engine default service account for more information.
To set the service account as the compute engine default service account on the project, we can use the following command:
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
I could suggest the following options:
Create a new project.
Request an Alpha feature that allows setting a new service account as the compute engine default service account.
If you have questions regarding an Alpha release or participation in an Alpha program, please reach out to sales. In this case a sales team needs to approve it.
We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!
When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.
I am a user in a group with an attached policy of AdministratorAccess. Despite this when I attempt to delete an AWS Mobile Hub project, I get the following:
Failed to delete project.
It looks like you do not have permission for this operation.
Then links me to the following page: https://docs.aws.amazon.com/aws-mobile/latest/developerguide/reference-mobile-hub-iam-managed-policies.html
At this time Mobile Hub requires a service role to perform operations in your AWS account, including deleting project resources. You can create the service role at the following link:
https://console.aws.amazon.com/mobilehub/home?#/activaterole/
We are planning on removing the service role in the future so Mobile Hub will use your account permissions to perform actions in your account. Once this change takes effect you will no longer need to have the service role in your account and administrator user permission will work without issue. You can find more information about this change here:
https://docs.aws.amazon.com/aws-mobile/latest/developerguide/reference-mobile-hub-project-permissions-model.html
Sincerely,
Dan G
AWS Mobile Developer Experience