I want to create image with packer build command but when I do that I face this error :
googlecompute: * The user does not have access to service account 'service-76100000418#compute-system.iam.gserviceaccount.com'. User: 'farzin-second-test-project#farzin-second-test-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
I have added the service account user role and compute admin and Compute Instance Admin (v1) to my service account.
Also I enabled the compute API ,but in my virtual box I used centos, and here I use this packer build which does not work properly.
There I create one file with name credentials and put json key in there, and also I make my packer template, I should also say my template is validated.
Does anybody have any Idea? The odd thing is it asks me to give this permission to the user, but still it is not working after adding that.
You have to enable all fallowing API's on your GCP account:
gcloud services enable sourcerepo.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable servicemanagement.googleapis.com
gcloud services enable storage-api.googleapis.com
Also make sure your service account has the proper permissions (and you are using a proper account):
CLOUD_BUILD_ACCOUNT=$(gcloud projects get-iam-policy $PROJECT --filter="(bindings.role:roles/cloudbuild.builds.builder)" --flatten="bindings[].members" --format="value(bindings.members[])")
gcloud projects add-iam-policy-binding $PROJECT \
--member $CLOUD_BUILD_ACCOUNT \
--role roles/editor
You may also have a look at the documentation : Building VM images using Packer and Create a Cloud Build image factory using Packer.
Related
Our project has enabled Cloud Asset Inventory API, I can view it from UI, but I get this permission error. I am the owner of the project.
➜ gcloud auth login
Your browser has been opened to visit:
---
You are now logged in as [myemail].
➜ gcloud asset export --content-type resource --project xxx --output-path "gs://export-resources-t/resources_updated.yaml" --format=yaml
Export in progress for root asset [projects/xxx].
Use [gcloud asset operations describe projects/xxx/operations/ExportAssets/RESOURCE/530109afbb66bdaf2be325e11897c83c] to check the status of the operation.
➜ gcloud beta resource-config bulk-export --resource-format=terraform --path output --project xxx
Exporting resource configurations to [output]...done.
ERROR: (gcloud.beta.resource-config.bulk-export) Permission denied during export. Please ensure the Cloud Asset Inventory API is enabled.
As per this case When the destination is in the same project, the user doesn't need to grant additional permission/role to the built-in service account, it is only needed when the destination is in a different project.
If this is not your issue then try using this method. i.e.,
For this service account you should add the role 'roles/cloudasset.serviceAgent' (which has all the required permissions).
Run this: gcloud beta services identity create --service=cloudasset.googleapis.com --project=<project number>
The above command will create the needed identity, then copy the name of the service account identity created and use it with the following command to grant the required role:
gcloud beta projects add-iam-policy-binding <project_name> --member='serviceAccount:[Service_Account]' --role='roles/cloudasset.serviceAgent
Please replace the [Service_Account] with the actual service account identity created in the first command.
After performing the above steps, you will be able to run thegcloud beta resource-config bulk-export --project=<project_name> --resource-format=terraform command.
For more information follow this doc.
I am trying to create a cluster with GKE. I have a project I have been using already.
When I run
gcloud container clusters create cluster1
I get the following:
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.
The same thing happens when I use the web UI. Both my service account and my user have owner roles.
I have tried the following to get the cluster create command to work:
I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
--member serviceAccount:<my-user>#<my-project>.iam.gserviceaccount.com \
--role roles/compute.admin
I read enabling the container api service was required
gcloud services enable container.googleapis.com
Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>#<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
I also tried authenticating with my account user:
gcloud auth login
None of these work and I can't create a cluster
I think I will answer my own question here. From service account docs
When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.
Debug:
gcloud container subnets list-usable --project service-project --network-project shared-vpc-project
If you get warning in output:
WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED:
Google Compute Engine: Required 'compute.projects.get' permission for
'projects/shared-vpc-project'
It means your google managed gke service account in host project doesn't exist.
To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.
I think you should set the compute engine service account permission:
gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER]-compute#developer.gserviceaccount.com \
--role roles/compute.admin
I am trying to deploy node js app on google cloud but getting following error -
Step #1: ERROR: (gcloud.app.deploy) Permissions error fetching application [apps
/mytest-240512]. Please make sure you are using the correct project ID and that
you have permission to view applications on the project.
I am running following command -
gcloud builds submit . --config cloudbuild.yaml
My cloudbuild.yaml file looks like -
steps:
#install
- name: 'gcr.io/cloud-builders/npm'
args: ['install']
#deploy
- name: 'gcr.io/cloud-builders/gcloud'
args: ['app', 'deploy']
The default Cloud Build service account does not allow access to deploy App Engine. You need to enable the Cloud Build service account to perform actions such as deploy.
The Cloud Build service account is formatted like this:
[PROJECT_NUMBER]#cloudbuild.gserviceaccount.com
Go to the Google Cloud Console -> IAM & admin -> IAM.
Locate the service account and click the pencil icon.
Add the role "App Engine Deployer" to the service account.
Wait a couple of minutes for the service account to update globally and then try again.
I had this same error today and the way I resolve it was by running: $ gcloud auth login on the console.
This will open a new browser tab for you to login with the credentials that has access to the project you're trying to deploy.
I was able to deploy to gcloud after that.
ps.: I'm not sure this is the best approach, but I'm leaving this as a possible solution as this is how I usually go around this problem. Worst case, I'll stand corrected and learn something new.
The most common way to deploy an app to App Engine is to use gcloud app deploy ....
When you use gcloud app deploy against App Engine Flex, the service uses Cloud Build.
It's entirely possible|reasonable to use Cloud Build to do your deployments too, it's just more involved.
I've not tried this but I think that, if you wish to use Cloud Build to perform the deployment, you will need to ensure that the Cloud Build service account has permissions to deploy to App Engine.
Here's an example of what you would need to do, specifically granting Cloud Build's service account the correct role.
Two commands can handle the perms needed (run in your terminal if you have gcloud sdk installed and authenticated or run in cloud shell for your project):
export PROJECT_ID=[[put your project id here]]
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud iam service-accounts add-iam-policy-binding ${PROJECT_ID}#appspot.gserviceaccount.com \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT_ID}
```
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/appengine.appAdmin
I'm working on a series of Cloud Functions in one Google Cloud project and, for some reason, I suddenly get this error:
Deployment failure:
Missing necessary permission resourcemanager.projects.getIamPolicy for service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com on resource projects/la-cloud-functions. Please grant service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com the Cloud Functions Service Agent role. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=Cloud Functions Service Agent'
Besides the badly formatted error response (you can't have --role=Cloud Functions Service Agent - it should be --role=roles/cloudfunctions.serviceAgent), when I try to run the amended command:
gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=roles/cloudfunctions.serviceAgent
I get this error:
The requested URL <code>/v1/projects/la-cloud-functions/serviceAccounts/projects/la-cloud-functions:getIamPolicy?alt=json</code> was not found on this server.
Finally, trying to assign the Cloud Functions Server Agent role through the console gave me another surprise - the role is missing from the list, where it should be under Service Management:
I have tried to reset the service account by re-enabling the Cloud Functions API with this command:
gcloud services enable cloudfunctions.googleapis.com
But again, no success.
Anyone have any ideas on how to fix this problem and make the Cloud Functions Service Agent role available again?
TIA - Joe
Try the following steps to solve this:
Disable Cloud Functions API:
gcloud services disable cloudfunctions.googleapis.com --project la-cloud-functions
Wait about a minute for the disable to complete.
Delete the cloud functions member account using the CLI or using the GCP Console under IAM.
gcloud projects remove-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
Wait about a minute. Then verify that this member has been removed in the GCP Console under IAM.
Enable Cloud Functions API:
gcloud services enable cloudfunctions.googleapis.com --project la-cloud-functions
Go back to the GCP Console. You should find a new Google Cloud Functions Service Agent member.
Note:
You are using the wrong command to add cloudfunctions.serviceAgent. Here is the correct command:
gcloud projects add-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
I have a machine that needs to run the following gcloud command:
gcloud projects list --format=json
The output error that gives me:
ERROR: (gcloud.projects.list) PERMISSION_DENIED: Request had insufficient authentication scopes.
Is pretty obvious that the current configuration and account set for the machine do not have the permissions.
Funny that when I use gcloud compute instances list --project=<project_ID> --format=json
It gives me a list of the machines listed in the project I specify.
I enabled the Google Resource Manager API
I even created some service account credentials and activated them in the machine. Still the same error.
In the SDK documentation there is no reference on how to enable credentials to see other projects
Anyone had this issue before? I saw outdated questions whose solutions didn't work out for me.
Edit
I should mention that the machine in question is a GCE instance and there is no way (unless I install manually the SDK, which is a mess I am not going to get into) to update the SDK.
Cloud API access scopes are set manually and there is no mention of the "Resource Manager" and i can't seem to add or remove any new API Accesses
According to this document, gcloud projects list shows all the active projects were the account has the Owner, Editor or Viewer project level role. As long as the service account you activated in your instance has one of those roles in a gcp project, you should be able to run the command.
For example, from your cloud shell grant the viewer role to your service account:
gcloud projects add-iam-policy-binding <your_project_id> \
--member serviceAccount:<your_service_account> --role roles/viewer
Activate the service account in your instance using the json key file:
gcloud auth activate-service-account --key-file=/path/key.json
Run the projects list command:
gcloud projects list --format=json