I'm trying to follow the Datalab: Notebook in the Cloud video , and when executing the datalab create ai-adventures command, I encountered this error.
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The user does not have access to service account '*#compute-system.iam.gserviceaccount.com'. User: '*#gmail.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
Few things to note;
I'm the project owners.
I've tried to create a new service account
tutorial#*.iam.gserviceaccount.com and that didn't work.
Any advice would be greatly appreciated!
Edit 1
Below is the information, as you can see when checking through gcloud auth list directive, I'm the owner, yet it tells me that I don't have access.
~ ⌚ 18:40:34
$ datalab create ai-adventures-3 --machine-type=n1-standard-4 --zone=us-central1-b
Creating the disk ai-adventures-3-pd
Creating the instance ai-adventures-3
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The user does not have access to service account 'service-510602609611#compute-system.iam.gserviceaccount.com'. User: 'XXX#gmail.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
A nested call to gcloud failed, use --verbosity=debug for more info.
~ ⌚ 15:02:59
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* XXX#gmail.com
AAA#gmail.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
~ ⌚ 15:03:45
$
I tried to reproduce your error in my own project using different ways to connect to it, with different users and accounts services.
And I found something that may help you.
First, I created a new VMInstance with OS debian-9-drawfork-v20200207.
I logged in to this new instance through SSH
But when I attempted to create this datalab instance with the command
datalab create --verbosity=debug example-datalab-2 --machine-type n1-standard-1
I received an error.
Then I send the following command
gcloud auth list
And I received something like:
Credentialed Accounts
ACTIVE ACCOUNT
* XXXXX#developer.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
It means that if I tried to create the new datalab instance with this Account Service, but this account doesn’t have the roles to create the notebook instance.
Then I changed the user with gcloud auth login command to an account with the owner role and re-ran the datalab create command and it worked.
To corroborate that it is working well I used the command
datalab connect example-datalab-2
And I received something like
Connecting to example-datalab-2.
This will create an SSH tunnel and may prompt you to create an rsa key pair. To manage these keys, see https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Waiting for Datalab to be reachable at http://localhost:8081/
This tool needs to create the directory [/home/directory/.ssh] before
being able to generate SSH keys.
Do you want to continue (Y/n)? y
Generating public/private rsa key pair.
.
.
.
Updating project ssh metadata...done.
Waiting for SSH key to propagate.
The connection to Datalab is now open and will remain until this command is killed.
Click on the *Web Preview* (square button at top-right), select *Change port > Port 8081*, and start using Datalab.
Then If I access to http://localhost:8081/ I can see:
It is worth mentioning that I received another error message at my first attempt
ERROR: (gcloud.source.repos.list) User [user#example.com] does not have permission to access project [myproject] (or it may not exist): Cloud Source Repositories API has not been used in project xxxxxxxx before or it is disabled.
I fixed this issue enabling the service with the command
gcloud beta services enable sourcerepo.googleapis.com
On the other hand, in order that you can troubleshoot this issue more accurately , I recommend to re-run the command with the following debug flag to help diagnose the problem:
datalab create --verbosity=debug datalab-instance-name
Also, I have found 2 guides that can help you with your task:
Quickstart guide that shows you how to use the datalab command line tool to set up and open Google Cloud Datalab.
Create a new notebook instance guide.
I hope you find this information useful.
Edit 1
Regarding the Service Account you mentioned tutorial#*.iam.gserviceaccount.com, I’ve found the following document where it says that you can use a service account instead of the default service account to create your datalab, but you need to add the following roles:
roles/compute.instanceAdmin.v1
roles/iam.serviceAccountUser
So, please check if your SA has these roles and then you can run the same command + --service-account something like:
datalab create ai-adventures --service-account=tutorial#*.iam.gserviceaccount.com
You could see more information in the following link.
This question is more interesting than I thought and I’ve encountered several issues using Datalab, we could take in consideration that the video you mentioned has been posted on Jan 11, 2018 and as Google Cloud Platform is evolving very fast, something that could work on that date could completely change 2 years later.
With this, I recommend you to use the AI Platform Notebooks page since it has similar features as Datalab, and according with the following documentation it was released as Generally Available on March 31st, 2020.
Upon trying it out, it seems that it could fit your use case and it also has capabilities to connect to Bigquery through the use of the R notebook.
Related
I use a workflow to create a batch job using a docker image hosted in a docker registry.
All of this happens within the same google cloud project.
My batch job fails with this error :
"docker: Error response from daemon: Head "https://us-west1-docker.pkg.dev/v2/entity/docker-registry/image-name/manifests/latest": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-west1/repositories/docker-registry" (or it may not exist).
See 'docker run --help'.
From google documentation I understand that Compute Engine's service account doesn't have the roles/artifactregistry.admin : Jobs default to using the Compute Engine default service account
I get the same error after giving the role to the service account :
gcloud projects add-iam-policy-binding project-id \
--member=serviceAccount:compute#developer.gserviceaccount.com \
--role=roles/artifactregistry.admin
While digging service accounts I found another service another service account and also gave it the role : service-xxxx#gcp-sa-cloudbatch.iam.gserviceaccount.com.
It does not solve the problem.
How can I see which service account is used ?
Can I see logs about denied permissions ?
The error occurs when you are trying to push an image on a repository in which a specific hostname associated with its repository location is not yet authenticated and specified in the credential helper.You may refer to this Setting up authentication for Docker .You may check and confirm the service account to make sure you are still impersonating the correct one ,run below as mentioned in document
gcloud auth list
This command will show the active account, along with the other
accounts that are authorized to access your Google Cloud project. The
active account will be marked with an asterisk (*).
Try to run the authentication using a command specifying the location of your repository.You may try to run the configure-docker command against the auth group and see.
gcloud auth configure-docker <location>-docker.pkg.dev
And then try pulling the Docker image again.
Refer Authenticating to a repository for more information and you can see these logs permission denied logs in Cloud logging for more details.
When trying to delete my cloud composer environment it gets stuck complaining about insufficient permissions. I have deleted the storage bucket, GKE cluster and the deployment according to this post:
Cannot delete Cloud Composer environment
And the service account is the standard compute SA.
DELETE operation on this environment failed 33 minutes ago with the following error message:
Could not configure workload identity: Permission iam.serviceAccounts.getIamPolicy is required to perform this operation on service account projects/-/serviceAccounts/"project-id"-compute#developer.gserviceaccount.com.
Even though I made the compute account a project owner and IAM Security Admin temporarily it does not work.
And I've tried to delete it through the GUI, gcloud CLI and terraform without success. Any advice or things to try out will be appreciated :)
I got help from the google support, and instead of adressing the SA projects/-/serviceAccounts/"project-id"-compute#developer.gserviceaccount.com.
It was apparently the default service agent that has the format of
service-"project-nr"#cloudcomposer-accounts.iam.gserviceaccount.com with the
Cloud Composer v2 API Service Agent Extension
Thank you for the kind replies!
The issue iam.serviceAccounts.getIamPolicy, seems to be more related to the credentials, that your server is having issues retrieving credentials data.
You should set up your path credentials variable again:
export GOOGLE_APPLICATION_CREDENTIALS=fullpath.json
Also there another options where you can try to run:
gcloud auth activate-service-account
Also you can add it to your script:
provider "google" {
credentials = file(var.service_account_file_path)
project = var.project_id
}
Don't forget that you need to have the correct roles to delete the composer.
For more details about it you can check:
https://cloud.google.com/composer/docs/delete-environments#gcloud
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment
https://cloud.google.com/composer/docs/how-to/access-control?hl=es_419
I tried to deploy an OpenVPN Access Server to Google Compute Engines and received the following error message:
openvpn-access-server-1-vm: {"ResourceType":"compute.v1.instance","ResourceErrorCode":"EXTERNAL_RESOURCE_NOT_FOUND","ResourceErrorMessage":"The resource 'PROJECT_ID-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found."}
PROJECT_ID is just a placeholder for my own PROJECT_ID.
In the cloud console, I can't find the "compute engine default service account" (I think, I accidentally deleted it last year). In the log files, I found in 2020 it's ACCOUNT_ID, so I tried to undelete it with the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
I had no success, I received:
ERROR: (gcloud.beta.iam.service-accounts.undelete) NOT_FOUND: Not found; Not found AccountDataType for <numeric_id>
<numeric_id> was a 12-digit number.
I tried to disable and enable compute service to restore the default service account, but it wasn't successful, I received:
response:
'#type': type.googleapis.com/google.iam.admin.v1.ServiceAccount
serviceName: iam.googleapis.com
status:
code: 6
message: ALREADY_EXISTS
receiveTimestamp: '2021-08-05T06:45:55.798772716Z'
Because of this error, I tried to delete it, but this didn't work too.
Now I don't know what to do, to get the default service account back.
Is it still existing or not?
Why isn't it working?
Keep in mind, I'm talking about PROJECT_ID-compute#developer.gserviceaccount.com.
service-PROJECT_ID#compute-system.iam.gserviceaccount.com is existing and recreated each time I disable and enable the Compute Engine API again.
Thanks for helping.
Since the Service Account was deleted an year ago it cannot be undeleted using the following command,
gcloud beta iam service-accounts undelete ACCOUNT_ID
This only works for Service Accounts deleted fewer than 30 days ago. Undeleting a service account for more information.
Instead, we can create a new Service Account and grant an ‘Editor’ role to it. As a Default Compute Engine Service Account has the same role by default. Compute Engine default service account for more information.
Now, we can create a new Compute Engine VM using the new Service Account. Setting up a new instance to run as a service account for more information.
If we already have a running VM and the Service Account got deleted, As #John Hanley suggested, we can edit the VM instance in the Google Cloud Console and assign the new Service Account to the instance. Changing the service account and access scopes for an instance for more information.
To set the new Service Account as the Compute Engine Default Service Account on the project, we can use the following command,
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
Another workaround would be creating a new project and deploying our instance there.
I'm trying to attach a new disk to an existing instance.
I'm able to create the disk, however, when I try to attach it, it fails with the following error:
The resource 'xyz-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
What is preventing me here, and how can I add a disk?
The information requested by John Hanley would be very helpful to narrow down the issue and provide an accurate response to your question, however, that error message is typically shown when the Compute Engine default Service Account was deleted, if that is the case you have 3 possible options:
a) If the Service Account was deleted less than 30 days ago, it might be still possible to recover it using the command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The output of that command should look like this:
restoredAccount:
email: sa-name#project-id.iam.gserviceaccount.com
etag: BwWWE7zpApg=
name: projects/project-id/serviceAccounts/sa-name#project-id.iam.gserviceaccount.com
oauth2ClientId: '123456789012345678901'
projectId: project-id
uniqueId: 'account-id'
You can follow the steps here, in order to recover it.
b) If it has been more than 30 days and undeleting is not possible, you will have to create a new Service Account and set it as the default Compute Engine Service Account. The steps for this would be:
Create a new Service Account with the name of your choice
You can do it through Cloud console by navigating to IAM -> Service Accounts page and clicking on '+ Create Service Account'. Or, if you prefer using the gcloud command, you can create a new account by using the command:
gcloud iam service-accounts create <NEW-SA-ACCT-NAME> --display-name="Compute Engine default service account"
Get the email id associated with this service account either via Cloud Console Service Accounts page, or using the gcloud command:
gcloud iam service-accounts list
Once you have done the above steps, you can set this new Service Account as the Compute Engine default Service Account using the alpha command:
gcloud alpha compute --project=peya-data-ops-pro project-info set-default-service-account --service-account=<NEW-SA-ACCT-NAME-EMAIL>
Note: This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you may be trying to access an API with an invitation-only early access allowlist, as described here.
c) As a last option and as long as you don't have any other resources running in Compute Engine or you don't mind losing those resources, you can disable the Compute Engine Service following the steps here and then re-enable it following this guide, that will recreate the default SA and you will be able to complete the required process.
I am trying to provision a k8s cluster on Google Cloud Platform using gcloud
$ gcloud container clusters create my-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=400,
message=service account "xxxxxx-compute#developer.gserviceaccount.com" does not exist.
Any idea as to why this is error is occurring? I have been able to provision in the past w/o any issue until now.
Verify that the active account is your own account, and not a service account that lacks permission to create clusters.
Example command to check this and output:
$ gcloud auth list
Credentialed Accounts:
- xxxxx#developer.gserviceaccount.com
- user#example.com ACTIVE
If you don't see ACTIVE next to the expected account, then set it to the right account with:
$ gcloud config set account <correctaccountname>
Maybe you switched to the service account a while back and forgot about it?
I got the same error while creating a cluster using GKE. Earlier I was getting this error because I did not attach the service account (which needs to be created and assigned with a role having Kubernetes specific permissions).
Now, the further question you might have where to attach the service account, for this you need to go the Create Cluster --> Node Pool Section --> More Options --> (a new window will popup) --> security section --> In-Service account dropdown Choose the Service account.
Once you do it, then save and say create a cluster, hopefully you will not get the same error.