I tried to deploy an OpenVPN Access Server to Google Compute Engines and received the following error message:
openvpn-access-server-1-vm: {"ResourceType":"compute.v1.instance","ResourceErrorCode":"EXTERNAL_RESOURCE_NOT_FOUND","ResourceErrorMessage":"The resource 'PROJECT_ID-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found."}
PROJECT_ID is just a placeholder for my own PROJECT_ID.
In the cloud console, I can't find the "compute engine default service account" (I think, I accidentally deleted it last year). In the log files, I found in 2020 it's ACCOUNT_ID, so I tried to undelete it with the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
I had no success, I received:
ERROR: (gcloud.beta.iam.service-accounts.undelete) NOT_FOUND: Not found; Not found AccountDataType for <numeric_id>
<numeric_id> was a 12-digit number.
I tried to disable and enable compute service to restore the default service account, but it wasn't successful, I received:
response:
'#type': type.googleapis.com/google.iam.admin.v1.ServiceAccount
serviceName: iam.googleapis.com
status:
code: 6
message: ALREADY_EXISTS
receiveTimestamp: '2021-08-05T06:45:55.798772716Z'
Because of this error, I tried to delete it, but this didn't work too.
Now I don't know what to do, to get the default service account back.
Is it still existing or not?
Why isn't it working?
Keep in mind, I'm talking about PROJECT_ID-compute#developer.gserviceaccount.com.
service-PROJECT_ID#compute-system.iam.gserviceaccount.com is existing and recreated each time I disable and enable the Compute Engine API again.
Thanks for helping.
Since the Service Account was deleted an year ago it cannot be undeleted using the following command,
gcloud beta iam service-accounts undelete ACCOUNT_ID
This only works for Service Accounts deleted fewer than 30 days ago. Undeleting a service account for more information.
Instead, we can create a new Service Account and grant an ‘Editor’ role to it. As a Default Compute Engine Service Account has the same role by default. Compute Engine default service account for more information.
Now, we can create a new Compute Engine VM using the new Service Account. Setting up a new instance to run as a service account for more information.
If we already have a running VM and the Service Account got deleted, As #John Hanley suggested, we can edit the VM instance in the Google Cloud Console and assign the new Service Account to the instance. Changing the service account and access scopes for an instance for more information.
To set the new Service Account as the Compute Engine Default Service Account on the project, we can use the following command,
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
Another workaround would be creating a new project and deploying our instance there.
Related
I'm trying to attach a new disk to an existing instance.
I'm able to create the disk, however, when I try to attach it, it fails with the following error:
The resource 'xyz-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
What is preventing me here, and how can I add a disk?
The information requested by John Hanley would be very helpful to narrow down the issue and provide an accurate response to your question, however, that error message is typically shown when the Compute Engine default Service Account was deleted, if that is the case you have 3 possible options:
a) If the Service Account was deleted less than 30 days ago, it might be still possible to recover it using the command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The output of that command should look like this:
restoredAccount:
email: sa-name#project-id.iam.gserviceaccount.com
etag: BwWWE7zpApg=
name: projects/project-id/serviceAccounts/sa-name#project-id.iam.gserviceaccount.com
oauth2ClientId: '123456789012345678901'
projectId: project-id
uniqueId: 'account-id'
You can follow the steps here, in order to recover it.
b) If it has been more than 30 days and undeleting is not possible, you will have to create a new Service Account and set it as the default Compute Engine Service Account. The steps for this would be:
Create a new Service Account with the name of your choice
You can do it through Cloud console by navigating to IAM -> Service Accounts page and clicking on '+ Create Service Account'. Or, if you prefer using the gcloud command, you can create a new account by using the command:
gcloud iam service-accounts create <NEW-SA-ACCT-NAME> --display-name="Compute Engine default service account"
Get the email id associated with this service account either via Cloud Console Service Accounts page, or using the gcloud command:
gcloud iam service-accounts list
Once you have done the above steps, you can set this new Service Account as the Compute Engine default Service Account using the alpha command:
gcloud alpha compute --project=peya-data-ops-pro project-info set-default-service-account --service-account=<NEW-SA-ACCT-NAME-EMAIL>
Note: This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you may be trying to access an API with an invitation-only early access allowlist, as described here.
c) As a last option and as long as you don't have any other resources running in Compute Engine or you don't mind losing those resources, you can disable the Compute Engine Service following the steps here and then re-enable it following this guide, that will recreate the default SA and you will be able to complete the required process.
When creating a Dataproc cluster I have the following error message:
ERROR: (gcloud.dataproc.clusters.create) NOT_FOUND: Service Account not found: '[PROJECT_NUMBER]-compute#developer.gserviceaccount.com'
Same error when create from console or from gcloud CLI command. Anyone can help please? Many thanks.
As mentioned by John Hanley, this issue is being generated as Dataproc requires to use the Compute engine API default service account to create the cluster instances; however, if this account is not longer displayed within your IAM > Service Account console, it will be required to disable and enable the Compute Engine API in order to try to recreate it; otherwise, you can create a new project to recreate your environment.
On the other hand, in case you want to use a different service account for your Dataproc cluster, you can create a new service account and grant it with the required GCE and Dataproc roles; in this way, you can specify the service account name to use when creating your cluster.
gcloud dataproc clusters create <CLUSTER_NAME> --service-account=<SERVICE_ACCOUNT_NAME>
gcloud auth activate-service-account --key-file aysc.json
gcloud config set project abcxyz
gcloud config set compute/zone europe-west1-b
gcloud container clusters create wordpress --num-nodes=2
I'm running the above commands, on the last command I'm getting an error of:
ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".
However this account is part of the service account actor group. I've also disabled and enabled the container API, which did not change the behavior. It was suggested by this question: https://serverfault.com/questions/780363/external-the-user-does-not-have-access-to-service-account-default
I saw this situation a few days ago. This error means that the service account you are are running gcloud with using cannot ActAs the service account the VMs will run as (default compute service account in this case).
I would sanity check the following:
Does the service account in aync.json have the Service Account Actor
role for the project abcxyz? (giving it Service Account Actor for
just the default compute service account seems insufficient)
Does the default compute service account exist in the project abcxyz? It typically looks like #######-compute#developer.gserviceaccount.com
with Editor permissions to your project. If it does not exist,
re-enabling container API should re-create it as the other question
suggests.
I am trying to provision a k8s cluster on Google Cloud Platform using gcloud
$ gcloud container clusters create my-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=400,
message=service account "xxxxxx-compute#developer.gserviceaccount.com" does not exist.
Any idea as to why this is error is occurring? I have been able to provision in the past w/o any issue until now.
Verify that the active account is your own account, and not a service account that lacks permission to create clusters.
Example command to check this and output:
$ gcloud auth list
Credentialed Accounts:
- xxxxx#developer.gserviceaccount.com
- user#example.com ACTIVE
If you don't see ACTIVE next to the expected account, then set it to the right account with:
$ gcloud config set account <correctaccountname>
Maybe you switched to the service account a while back and forgot about it?
I got the same error while creating a cluster using GKE. Earlier I was getting this error because I did not attach the service account (which needs to be created and assigned with a role having Kubernetes specific permissions).
Now, the further question you might have where to attach the service account, for this you need to go the Create Cluster --> Node Pool Section --> More Options --> (a new window will popup) --> security section --> In-Service account dropdown Choose the Service account.
Once you do it, then save and say create a cluster, hopefully you will not get the same error.
~ gcloud container clusters create example-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/saleop-166407/zones/asia-northeast1-a'
This is the shell script I used to start a container cluster.
I failed with web console(using UI), gcloud sdk cli and google cloud shell.
It is saying something about permission, but I couldn't find any change I made.
So I created a new project and did the same thing then It worked. What is the problem?
Did you change the roles of your Compute Engine default service account in Console --> IAM/Admin --> IAM section, or for other accounts? It looks like your Compute account cannot use the compute API.
Make sure your Compute Engine default service account has "Editor" role on your project.
That's the only explanation I can think of, because when you create a new project, that project gets a brand new Compute Engine service account with correct permissions.