Can't create Cloud Composer environment on GCP - google-cloud-platform

I'm trying to create a Cloud Composer environment to run Airflow on GCP. However, I keep getting this error:
CREATE operation on this environment failed x minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
response_timestamp {
seconds: 1631717057
nanos: 229000000
}
].
Does anybody knows how to solve it?

This is a known insufficient permission issue:
When creating a Cloud Composer environment, you specify a service account that runs the environment's GKE nodes. If this service account does not have enough permissions for the requested operation, Cloud Composer outputs that same error message.
The solution is to assign roles to both to your account and to the service account of your environment as described in Access control.

Related

Why can Cloud Composer 2 not connect to Redis during environment generation?

I have tried multiple times to create a new Cloud Composer 2 environment. While creating a Cloud Composer 1 environment worked completely fine, this keeps on failing. From what I can see in the logs it appears that airflow-worker cannot connect to Redis. I already made sure the Cloud Composer service account has sufficient rights. What else could be the cause of this?

GKE: Google Compute Engine: Required 'compute.networks.get' but permissions are there?

When attempting to create a GKE cluster via gcloud, web console, or pulumi I'm receiving the error: Google Compute Engine: Required 'compute.networks.get.
The permission for this account have Owner, Editor, and Compute Admin. Testing for compute.networks.get using the troubleshooter also shows that it is good.
Not sure why this is happening. It seemed to have been working fine the day before.
Thanks in advance.
Edit:
I can also run gcloud compute regions describe us-east1 --project=myproj as well as the list command without issue so something is not adding up.
Edit 2:
Full error is:
googleapi: Error 403: Retry budget exhausted (5 attempts): Google Compute Engine: Required 'compute.regions.get' permission for 'projects/myproj/regions/us-central1'., forbidden
Looks like a service account was deleted and disabling/enabling the service fixed the issue.
https://serverfault.com/questions/1054198/gke-google-compute-engine-required-compute-networks-get-but-permissions-are

Cloud Run error: Internal system error. Missing necessary permission

I cannot seem to deploy/run any Google Cloud Run services.
I have attempted this from multiple accounts (with billing on all accounts and projects), created fresh projects in each account, added every permission I could find to try to get around this.
I've built my own container based on the Hello World example from here: https://cloud.google.com/run/docs/quickstarts/build-and-deploy
Trying to deploy:
helloworld-csharp>gcloud run deploy --image gcr.io/[Project ID]/helloworld --platform managed
Service name (helloworld):
Deploying container to Cloud Run service [helloworld] in project [Project ID] region [us-west1]
Deploying...
Creating Revision... Cloud Run error: Internal system error. Missing necessary permission for service-[ID]#serverless-robot-prod.iam.gserviceaccount.com on resource [Project ID]. Please visit https://cloud.google.com/run
/docs/troubleshooting for in-depth troubleshooting documentation....failed
Deployment failed
ERROR: (gcloud.run.deploy) Cloud Run error: Internal system error. Missing necessary permission for service-[ID]#serverless-robot-prod.iam.gserviceaccount.com on resource [Project ID]. Please visit https://cloud.google.com/run/docs/troubleshooting for in-depth troubleshooting documentation.
Trying to deploy the simple 'hello' example here from the web console leaves me with the same error:
Cloud Run error: Internal system error. Missing necessary permission for service-[ID]#serverless-robot-prod.iam.gserviceaccount.com on resource [Project ID]. Please visit https(...)cloud.google.com/run/docs/troubleshooting for in-depth troubleshooting documentation.
I have the following users in the project, as they were auto-setup and configured when I enabled the API:
[ID]-compute#developer.gserviceaccount.com Compute Engine default service account
[ID]#cloudbuild.gserviceaccount.com Cloud Build Service Account
[ID]#cloudservices.gserviceaccount.com Google APIs Service Agent
service-[ID]#compute-system.iam.gserviceaccount.com Compute Engine Service Agent
service-[ID]#gcp-sa-cloudbuild.iam.gserviceaccount.com Cloud Build Service Account
service-[ID]#serverless-robot-prod.iam.gserviceaccount.com Google Cloud Run Service Agent
Yes, it seems it was indeed a Google issue, I didn't change anything, just went back to the console and I can start all my test containers without any issue now...

Unable to deploy to Google Cloud Run - missing necessary permissions

I'm trying to deploy a new revision of a container running on managed Google Cloud Run.
When I try to update the container I get the following message:
Cloud Run error: Internal system error. Missing necessary permission for xxxxxxxxxx#serverless-robot-prod.iam.gserviceaccount.com on resource <resource-id>
For others cloud run services everything works fine, I'm able to release an update.
What can be happening in this specific case?

Service Account does not exists on GCP

While trying for the first time to use Google Kubernetes Cloud solution, and according to the tutorial... I am trying to create new cluster.
But after pressing Create i receive
The request contains invalid arguments: "EXTERNAL: service account
"****#developer.gserviceaccount.com" does not exist.". Error code: "7"
in a red circle near the Kubernetes cluster name.
After some investigations it's looks like the default service account which google generated for my account.
I've looked over the create cluster options, but there isn't any option to change the service account.
Do I need to change Google Compute Engine default service account? how i can do it?
How I can overcome this issue?
Thank you
Default Compute Engine Service Account is essential for functions related to Compute Engine and is being generated automatically. Kubernetes Engine utilizes Compute Engine VM Instances as Nodes used for the cluster. GKE uses the Compute Engine Service Account to authorize the creation of these nodes.
In order to regenerate default service there are two options:
Regenerate by Disabling and Re-enabling the Google Compute Engine API. In the "API's & Services" dashboard. If for some reason performing this option encountering errors when disabling the API, then try option 2.
run command gcloud services enable compute.googleapis.com in Cloud SDK or Cloud Shell which is in the header of the page.
Looks like you either do not have any default service account or have more than one.
Simply go to the "Service Accounts" section "IAM & Admin" and select the app engine default service account, and provide this as an argument while creating cluster from gcloud or gshell as below:
gcloud container clusters create my-cluster --zone=us-west1-b --machine-type=n1-standard-1 --disk-size=100 --service-account=abc#appspot.gserviceaccount.com
To initialize GKE, go to the GCP Console. Wait for the "Kubernetes Engine is getting ready. This may take a minute or more" message to disappear.
Please open the page and wait for a while