GCP project quota issue with service account - google-cloud-platform

I'm using Terraform to create GCP projects (google_project resource) through service account inpersonnation and I'm hitting a quota issue:
Error: Error waiting for creating folder: Error code 8, message: The project cannot be created because you have exceeded your allotted project quota.
My problem is identical to this Github Issue
I've requested and obtained a project quota increase and I'm able to create projects in the GCP console but not with the service account.
The proposed solution is to use another service account but this is really inconvenient.
Is it possible to display the project quota associated with the service account ?
Is there a way to reset or update the project quota associated with the service account so that I can avoid to setup a new one ?
Thx

If you want to have an increased quota for a specific service account you have to fill a request to Google Cloud Platform specifying both the desired quota and the service account where you want this change to be applied. If you don't specify a service account in the email addresses box and instead you just include your personal email this quota increase will be applied to your personal email.
Currently, I'm not aware of any way to get the number of remaining projects for a specific service account. However, I found this Public Issue Tracker where a similar request was made. You can star it as you also want to have this feature and post a comment.

Related

Cannot update cloud run service account

I am trying to add a service account to my cloud run service. However, there is a message that "No service account with required permissions available."
I'm not sure if this is related to my user's credentials, or something else. This project has the default compute service account, as well as additional service accounts.
I can't find anything related in the documentation regarding this.
Would appreciate any insight you have on this issue!
Yes, I think that's probably (!?) what's occurring.
I assume that you're using Cloud Console and trying to Create a Cloud Run service.
I was able to add a minimally-roled user to an existing project and, when trying to create a Cloud Run service, I observe the same behavior that you're seeing.
How do you know that the project contains Service Accounts? I assume that your permissions are similarly restricted in eumerating these.
The permissions required to set a service account are described here. You need service account user permissions on the project or specific service account in order to set it on a deploy.

cannot add role on service account GCP IAM

I am trying to add role cloud sql client to my service account but got this warning Utilization analysis for this binding has not been processed.
because of this i unable to use the service account for my application
how i fix this?
You must be seeing ? icon which shows: "Utilization analysis for this binding has not been processed".
It is not a warning, and probably not the reason for your issue.
Check this
For newly created service accounts (managed by google) Utilization analysis is calculated after 90 days, after which it gives recommendations on Permissions that are not needed for that service account ie. Analyzed Permissions.

GCP Pub/Sub default service account is not getting created when enabling the API

We have two projects in our GCP account; one for our Dev environment and one for our Test environment at the moment. Terraform manages most of our infrastructure, so we have minimal clicking around the GUI, or CLI commands.
I have assumed we enabled the Pub/Sub API by deploying to it with Terraform in both of our environments, although we may have needed to do this manually. We noticed that Google created a default Pub/Sub service account for us in our Dev environment, but not in our Test environment. This docs page suggests it should make this service account.
Additionally, we have noticed multiple Pub/Sub subscriptions working, apparently without any service account. We believe that the service account is only needed for this particular Subscription because it is a push to an e-mail server. Therefore, it needs a service account with the 'Service Account Token Creator' role.
We've attempted to redeploy the whole infrastructure and disable/re-enable the Pub/Sub API. Neither seemed to kick GCP into creating the Service Account. Further to this, we attempted to make the default service account manually. Still, GCP constrains the name a user can give a service account themselves, so we're unable to create a service account with the name that the Pub/Sub service would expect.
We wonder if there is some configuration of the project we may have missed or if anyone has seen this previously?
Does it not exist or does you not see it?
I'm pretty sure that it exists but without any role granted on it and you don't see it in the UI. Try to grant a role on this default service account, and it will appear in the IAM page!

Google Cloud Platform - Resource of type "Organisation"

I wanted to setup my cloud identity but its asking me to verify the domain that is already hosted on GCP. Can you help me with Cloud Identity setup with a proper organisation created (today its named "No Organisation"). I'm the admin for this account DOMAIN: we host our Corporate website on GCP with domain already registered with DNS services in google.
on the GCP Identity page its also giving me the following message.
Your current account, k*****.***a#DOMAIN.NL, is not associated with an organization on Google Cloud. This checklist is designed for administrators who are trusted with complete control over a company’s Google Cloud resources. If you already have an administrator account for your organization, sign in with the account now. Or, ask your company administrator to start the checklist.
I guess I'm stuck in a Chicken-n-Egg problem.
You need to create a Google Workspace account. Create it on your domain DOMAIN.NL, with you as 1st admin user and with subscription plan or not (in my case, I wasn't able to remove the 15 days of trial. Get it, you will be able to remove the trial subscription later (in the user list) on the admin.google.com Workspace console). You are able to create your org for free, but it's absolutely not clear!!
From the new user account that you have created on your Workspace domain (you#DOMAIN.NL), you will be able to reach the console (console.cloud.google.com) and you have your org.
Now you need to migrate the projects and to review the authorization. You also need to (re)create a Billing Account.
I didn't find another way to achieve this.

Unable to Deploy from GCP Marketplace - Missing Valid Default Service Account

I receive an error message while attempting to deploy anything from the marketplace into a specific GCP project.
You must have a valid default service account in order to create a
deployment, but this account could not be detected. Contact support
for help restoring the account.
Things I've Tried:
Every VM from the marketplace shows the same error message
I can deploy regular VM instance
I can see there is an enabled service account for the project with the name "Compute Engine default service account".
I am able to deploy VM's from the marketplace into other projects under the same organization
I've contacted GCP Billing support and they cannot find anything wrong from a billing perspective
Researching online shows that others that have had this issue have just rebuilt the project. It appears that service account is created by default when the project is spun up.
I'm hoping there is another way around it as this project is a host for a shared VPC deployment. There are already other projects with deployed VM's that are utilizing the host projects networks.
Thank you!
Looks like you deleted a default service account.
As mentioned in one comment some can be recreated by disable/enable the corresponding API
Below are the default service accounts I have in my project, hope it helps you to find the root cause. (these service accounts let me deploy a wordpress solution depending on what you are trying to deploy you might need more service accounts)
PROJECT-NUMBER-compute#developer.gserviceaccount.com Compute Engine
default service account
PROJECT-NUMBER#cloudservices.gserviceaccount.com Google APIs Service
Agent
PROJECT-ID#appspot.gserviceaccount.com App Engine default service
account
service-ORG-ID3#gcp-sa-cloudasset.iam.gserviceaccount.com Cloud Asset
Service Agent
service-PROJECT-NUMBER#cloud-ml.google.com.iam.gserviceaccount.com Google
Cloud ML Engine Service Agent
service-PROJECT-NUMBER#compute-system.iam.gserviceaccount.com Compute
Engine Service Agent
service-PROJECT-NUMBER#container-engine-robot.iam.gserviceaccount.com Kubernetes
Engine Service Agent
service-PROJECT-NUMBER#containerregistry.iam.gserviceaccount.com Google
Container Registry Service Agent
service-PROJECT-NUMBER#dataflow-service-producer-prod.iam.gserviceaccount.com Cloud
Dataflow Service Account
service-PROJECT-NUMBER#service-networking.iam.gserviceaccount.com Service
Networking Service Agent
The service account was intact and had the same permissions as other service accounts for working projects.
We purchased and opened a case with GCP technical support. After a little more than a week of them troubleshooting the issues, they determined there was no way to correct the problem. Their root cause was that something happened during the initial project deployment that caused some backend configuration issues. For what its worth, the project was deployed using Terraform, but its uncertain if that was a factor.
After recreating the host project, we were able to deploy from the marketplace again successfully.
If you run into this problem, save yourself the hassle and time and just recreate the project.