cannot add role on service account GCP IAM - google-cloud-platform

I am trying to add role cloud sql client to my service account but got this warning Utilization analysis for this binding has not been processed.
because of this i unable to use the service account for my application
how i fix this?

You must be seeing ? icon which shows: "Utilization analysis for this binding has not been processed".
It is not a warning, and probably not the reason for your issue.
Check this
For newly created service accounts (managed by google) Utilization analysis is calculated after 90 days, after which it gives recommendations on Permissions that are not needed for that service account ie. Analyzed Permissions.

Related

GCP Pub/Sub default service account is not getting created when enabling the API

We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!

GCP project quota issue with service account

I'm using Terraform to create GCP projects (google_project resource) through service account inpersonnation and I'm hitting a quota issue:
Error: Error waiting for creating folder: Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.
My problem is identical to this Github Issue
I've requested and obtained a project quota increase and I'm able to create projects in the GCP console but not with the service account.
The proposed solution is to use another service account but this is really inconvenient.
Is it possible to display the project quota associated with the service account ?
Is there a way to reset or update the project quota associated with the service account so that I can avoid to setup a new one ?
Thx
If you want to have an increased quota for a specific service account you have to fill a request to Google Cloud Platform specifying both the desired quota and the service account where you want this change to be applied. If you don't specify a service account in the email addresses box and instead you just include your personal email this quota increase will be applied to your personal email.
Currently, I'm not aware of any way to get the number of remaining projects for a specific service account. However, I found this Public Issue Tracker where a similar request was made. You can star it as you also want to have this feature and post a comment.

Problems while creating a datalab in GCP

I'm getting a strange error while trying to create a datalab in GCP. gcloud is up to date, all necessary APIs are enabled. I'm following these instructions https://cloud.google.com/datalab/docs/quickstart
Any ideas on what went wrong here?
This error looks like you've deleted in some wayCompute Engine default service account. Please go to IAM & Admin -> Service Accounts and check if you still have service account with name Compute Engine default service account.
To solve this issue follow instructions Undeleting a service account:
In some cases, you can use the undelete command to undelete a deleted
service account. You can usually undelete a deleted service account if
it meets these criteria:
The service account was deleted less than 30 days ago.
After 30 days, Cloud IAM permanently removes the service account.
Google Cloud cannot recover the service account after it is
permanently removed, even if you file a support request.
Also, you can try to reach Google Cloud Support for further instructions.

Can't create job on GCP Cloud Scheduler

When I try to create a job in the GCP Cloud Scheduler I get this error:
{"error":{"code":7,"message":"The principal (user or service account) lacks IAM permission \"iam.serviceAccounts.actAs\" for the resource \"[my service account]\" (or the resource may not exist)."}}
When I enabled the GCP Cloud Scheduler the service account was created (and I can see it in my accounts list). I have verified that it has the "Cloud Scheduler Service Agent" role.
I am logged in as an Owner of our project. It is when I try to create the job that I get this error. I tried to add the "Service Account User" to my principal account, but to no avail.
Does anyone know if I have to add any additional permissions? Or if I have to allow my principal to act (impersonate?) this service account in some way?
Many thanks.
Ben
Ok I figured this out. The documentation is (sort of, in my view) clear if you read it in a certain way / know how GCP IAM works.
You actually need two service accounts. You need one that you set up yourself (can be whatever name you like and doesn't require any special permissions) and you also need the one for Cloud Scheduler itself.
Don't confuse the two. And use the one that you created when specifying the service account to generate the OAuth / OICD tokens.

Dataprep doesn't works - Cloud Dataflow Service Agent

I made a mistake deleting an user service-[project number]#dataflow-service-producer-prod.iam.gserviceaccount.com in Service accounts, I should have deleted another user.
After that, the Dataprep stopped running the jobs.
I've checked all guidelines about dataflow and dataprep: if the API is enable (yes, it is). If there is a proper service account (yes). But I don't know what rules to assign to these accounts.
I tried assigning the "Cloud Dataflow Service Agent" role for this account, but it doesn't appear for me >
I tried too assigning another roles, but didn't work.
It all started when I deleted this account erroneously.
Someone knows how solve this?
PS: I'm working progress with my English, sorry for some mistakes.
If you accidentally deleted the Dataflow service account, disable Dataflow API then re-enable it will create the service account again automatically.
Disabling/Enabling the API is not recommended as associated resources will be impacted. You should rather undelete the default service account in the following 30 days. You would need its ACCOUNT_UNIQUE_ID that can be found in the generated logs when it was deleted. Find details here.