I want to run my google cloud server everyday on specific times. I set up an instance schedule for that but when i try to link my vm to the schedule it gives me the following error:
Compute Engine System service account service-390738840624#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start] permissions applied in order to perform this operation.
Does anyone know how to solve this?
The service account service-390738840624#compute-system.iam.gserviceaccount.com does not have a role with the permission compute.instances.start.
The following IAM roles have the required permission:
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
The following command will add the first role to the service account:
Replace $PROJECT_ID with your Project ID (not the project name).
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:service-390738840624#compute-system.iam.gserviceaccount.com \
--role roles/compute.instanceAdmin
Your account for which you are running the command, must have the privilege to grant/modify IAM roles on a service account. If you do not have the correct permissions, you will need to ask the Project Owner or Editor to perform this for you.
The CLI answer works but in case you dont use terminal here are the steps directly on the platform:
go to IAM
on the right side of the screen select "Include Google-provided role grants"
Find Principal that contain text "compute-system.iam.gserviceaccount.com"
edit (with little pen on the right)
from the popup shown select "+Add another role", select role "Compute Instance Admin" (can show beta or v1 in the brackets)
this fixed my issue
In order to complete the task, GCP is asking you to give the service account “service-390738840624#compute-system.iam.gserviceaccount.com” access to use “compute.instances.start” but the service account doesn't have the right permissions to execute the task.
When you set up an instance to run as a service account, you determine
the level of access the service account has by the IAM roles that you
grant to the service account. If the service account has no IAM roles,
then no API methods can be run by the service account on that
instance.
To grant, change, and revoke access to a single service account, please refer to this guide.
Be aware that to manage access to a service account, you need a role that includes the following permissions:
*iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy*
If you want to know which are the permission included in your account, please refer to this guide.
If you don't have the appropriate access to grant permissions, please refer to your system administrator.
To know more about compute engine roles and permissions, please follow this link.
If you wish to know more about services accounts, please follow this link.
To know more about the process of scheduling compute instances with Google Scheduler, please follow this link.
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
I'm trying to create a data source in terraform to get information about a Google billing account.
data "google_billing_account" "ac" {
display_name = "foo-Billing"
open = true
}
But terraform throws the error Error: Billing account not found: foo-Billing which looks like my service account lacks the required permissions to do this, as the billing account definitely exists.
I'm able to run this command
gcloud projects add-iam-policy-binding main1-project --member=serviceAccount:$ID --role=roles/ROLE_NAME
which works fine with just about any other role binging except that of billing.admin which throws the error
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role (roles/billing.admin) does not exist in the resource's hierarchy.
I'm faily new to GCP so I"m not sure how to go about fixing this.
Is there a way to grant billing.admin permissions to a service account from the command line?
Maybe another API to call or something.
I'm able to grant the permission from the UI which then makes my terraform command work, but I would like to be able grant it from the command line.
You're getting this error because you're trying to assign the billing admin role from the project level but it can only be done at the organization level.
If you have an organization, then the same command should work with a slight tweak.
gcloud organizations add-iam-policy-binding ORGANIZATION --member=serviceAccount:$ID --role=roles/billing.admin
You should be able to get a list of your organizations using
gcloud organizations list
If you don't have any, then just create one.
You'll just need a Gsuite or Cloud Identity account.
Trying to use OS-login from my account, which has the owner role and compute os login admin role to connect to an instance with enable-oslogin TRUE. This used to work well (maybe a week or more ago), but lately it has been giving me this error.
This is within the same organization, same project. So not sure where the error is coming from.
Did GCP change their OS-Login feature? I am unable to find anything in the release notes.
gcloud compute ssh instance
ERROR: (gcloud.compute.ssh) User [user] does not have permission to access user [user:importSshPublicKey] (or it may not exist): Insufficient IAM permissions. The instance belongs to an external organization. You must be granted the roles/compute.osLoginExternalUser IAM role on the external organization to configure POSIX account information.
The GCP message is saying that you are running the gcloud tool with a credential that don’t belongs to the same organization from the project.
Try to run “gcloud auth list” to validate the authenticated user.
If the user is incorrectly select run the gcloud config command to change the logged user or gcloud auth login to log with the proper credentials.
I wish that this can help you,
Eduardo Ruela
I am trying to create a Kubernetes cluster in Google Cloud Platform and I receive the following error when I try to create the cluster from the Web app:
An unknown error has occurred in Compute Engine: "EXTERNAL: Google
Compute Engine: Required 'compute.zones.get' permission for
'projects/my-project-198766/zones/us-west1-a'". Error code: "18"
When I use gcloud I receive this response:
(gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/my-project-198766/zones/us-west1-a'
Please note that I have the Owner role and I can create VM instances without any issues.
Any ideas?
This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.
This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.
gcloud projects get-iam-policy [project-id]
From the list, you can check whether below service account has the editor permission or not.
[id]#cloudservices.gserviceaccount.com
To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.
Hope this helps.
in my case I deleted the service accounts / IAM's or whatever and that very same error message popped up, when I tried to create a kubernetes cluster.
I asked Google to recreate my service accounts, and they mentioned that you can recreate service accounts and their permissions simply by enabling them again. So, in my case I ran the following two commands in order to make kubernetes work again:
gcloud services enable compute
gcloud services enable container
Here is the link they gave me:
https://issuetracker.google.com/64671745#comment2
I think I got it. I tried to follow the advice from GitHub. The permissions I needed to set on my account (called blahblah-compute#developer.gserviceaccount.com) were:
roles/compute.instanceAdmin
roles/editor
roles/iam.serviceAccountUser
The last one seemed to be crucial.
For me recreating the service account with a new name from the console fixed the issue. I have only given the "Editor" role to the service account
I had accidently deleted the compute-service account. I had to follow all the steps mentioned above ie.
undelete the compute-service account
add the permission back to the service account - editor, serviceaccountuser, computeinstanceAdmin
Enable again compute and container services. Although these were not disabled, running gcloud services enable compute container, created some default service accounts for the compute robot such as service-#compute-system.iam.gserviceaccount.com and service-#container-engine-robot.iam.gserviceaccount.com
Hope this helps
As indicated by #Taher, that's most likely due to missing permissions for Google managed service accounts. If after checking the IAM policies for your project with gcloud projects get-iam-policy [project-id] you do not see the permissions listed, then you can add the required permissions by running the following:
project_id=[your-project-id]
project_number=$(gcloud projects describe $project_id --format='value(projectNumber)')
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#compute-system.iam.gserviceaccount.com" \
--role="roles/compute.serviceAgent"
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#container-engine-robot.iam.gserviceaccount.com" \
--role="roles/container.serviceAgent"
The full list of Google managed service accounts (service agents) is available here.
I have a service account that I want to be able to 'act as' (in AWS it's called 'assume'). My service account called 'bucket-viewer-service-account' is shown below in my project:
$ gcloud projects get-iam-policy myproject
bindings:
- members:
- serviceAccount:123456789012-compute#developer.gserviceaccount.com
role: roles/editor
- members:
- user:me#myemail.com
role: roles/owner
- members:
- serviceAccount:bucket-viewer-service-account#myproject.iam.gserviceaccount.com
role: roles/storage.objectViewer
etag: BwVOE_CkjAo=
version: 1
I want to grant another user the ability to 'act as' this service account and I have applied the following, but not getting very far:
$ gcloud iam service-accounts add-iam-policy-binding \
bucket-viewer-service-account#myproject.iam.gserviceaccount.com \
--member='user:test.gcp1#myemail.com' --role='roles/iam.serviceAccountActor'
bindings:
- members:
- user:user:test.gcp1#myemail.com
role: roles/iam.serviceAccountActor
etag: BwVOFAhEVqY=
Is that all I have to do so that the user test.gcp1#myemail.com (once they're logged in) can access the resources available to the service account? Or is there another step required for the user to 'assume' the service account?
I've looked through the many pages of documentation Understanding Service Accounts for starters, but most seem to be thinking in terms of applications using service accounts, where the docs definitely mention users, groups etc can use service accounts to.
The iam.serviceAccountActor role gives users the ability to create and manage compute engine instances that use a service account.
I could be misunderstanding something, but if you want to give someone permission to directly act as a service account, the most straightforward way would probably be to create a private key file for the service account that represents that particular user acting as that service account, and then giving them that private key file.
Giving a user the Service Account Actor role does not give access transitively, like you're suggesting. Instead, it allows a user to "use" the service account to start long-running jobs (e.g. creating a compute engine instance) that have that service account as an identity.
iam.serviceAccountActor role deprecated, you need to use Service Account User role
See More details
Apparently, the test.gcp1#myemail.com will not be able to get the privileges this way when you're running commands from your Terminal. A straightforward solution to this problem is to create and use Keys (similar to "Access Keys" in AWS). The following steps describe how you can achieve this:
Create "Keys" for your service account:
gcloud iam service-accounts keys create KEY-FILE-NAME.json --iam-account=SA-NAME#PROJECT-ID.iam.gserviceaccount.com
Load the "Keys" in your terminal by adding the following environment variable (in .bashrc or equivalent file for your OS):
export GOOGLE_APPLICATION_CREDENTIALS="/file-location/KEY-FILE-NAME.json"
Open a new terminal (or source your environment variable file) and execute CLI commands which will now be executed as your service account.
PS: Do note that the creation of "Keys" poses a considerable risk to the security of your cloud account. Ensure that the service account has minimum GCP Roles (i.e. privileges/policies) added and make sure to delete the keys when they are no longer required.