i have accidently deleted my Service accounts on gcp that was created on the time of compute API enabling , now i disabled and enabled it many times but its not creating new Service accounts .
now i am getting this error :
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? YERROR: (gcloud.compute.instances.create) Could not fetch resource: - The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
deactivate the compute API
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? Y
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
To have the Compute Engine default service account back after its accidental deletion you must contact the Compute Engine team as it’s explained in the following documentation.
Meanwhile, if you want to keep working on that project, you can create another service account and associate it with the same role, for example, that the Compute Engine default service account had.
This role, named editor, is of the primitive type and you can find more about it here.
In this way, you will be able to create Compute Engine instances. Just follow this steps:
Set some variables;
zone=us-central1-b
PROJECT_NUMBER=$(gcloud projects describe $DEVSHELL_PROJECT_ID --format="value(projectNumber)")
sa_name=no-clone-$PROJECT_NUMBER-compute
Create a new service account and update project IAM policy by adding to it a binding between that service account and the primitive role explained above;
gcloud iam service-accounts create $sa_name --display-name="Work around deletion of Compute Engine default service account"
sa=$(gcloud iam service-accounts list --filter=$sa_name --format="value(email)")
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member="serviceAccount:$sa" --role="roles/editor"
Create a new instance with the newly-created service account and test it out;
gcloud compute instances create test01 --zone=$zone --quiet --service-account=$sa
gcloud compute ssh test01 --zone=$zone --command="cat /etc/os-release"
For more background in Identity and Access Management refer to this documentation.
Try using gcloud app repair:
gcloud beta app repair - restores required App Engine features to the current application
Related
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
I'm trying to setup an auto stop/start of some of my VMs in GCP and I already have an VM admin permission but when adding a VM to a instance schedule created I'm getting below error:
Compute Engine System service account service-5424xxxxxxx#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation.
The problem is that the service service-5424xxxxxxx#compute-system.iam.gserviceaccount.com does not have a role that contains the permissions compute.instances.start and compute.instances.stop.
The following roles contain that permission:
Compute Instance Admin - roles/compute.instanceAdmin
Compute Instance Admin (v1) - roles/compute.instanceAdmin.v1
Use the Google Cloud Console GUI to add the desired role or use the CLI:
gcloud projects add-iam-policy-binding REPLACE_WITH_PROECT_ID \
--member "serviceAccount:service-5424xxxxxxx#compute-system.iam.gserviceaccount.com" \
--role "roles/compute.instanceAdmin.v1"
Of course, use the correct service account email address.
I'm trying to attach a new disk to an existing instance.
I'm able to create the disk, however, when I try to attach it, it fails with the following error:
The resource 'xyz-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
What is preventing me here, and how can I add a disk?
The information requested by John Hanley would be very helpful to narrow down the issue and provide an accurate response to your question, however, that error message is typically shown when the Compute Engine default Service Account was deleted, if that is the case you have 3 possible options:
a) If the Service Account was deleted less than 30 days ago, it might be still possible to recover it using the command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The output of that command should look like this:
restoredAccount:
email: sa-name#project-id.iam.gserviceaccount.com
etag: BwWWE7zpApg=
name: projects/project-id/serviceAccounts/sa-name#project-id.iam.gserviceaccount.com
oauth2ClientId: '123456789012345678901'
projectId: project-id
uniqueId: 'account-id'
You can follow the steps here, in order to recover it.
b) If it has been more than 30 days and undeleting is not possible, you will have to create a new Service Account and set it as the default Compute Engine Service Account. The steps for this would be:
Create a new Service Account with the name of your choice
You can do it through Cloud console by navigating to IAM -> Service Accounts page and clicking on '+ Create Service Account'. Or, if you prefer using the gcloud command, you can create a new account by using the command:
gcloud iam service-accounts create <NEW-SA-ACCT-NAME> --display-name="Compute Engine default service account"
Get the email id associated with this service account either via Cloud Console Service Accounts page, or using the gcloud command:
gcloud iam service-accounts list
Once you have done the above steps, you can set this new Service Account as the Compute Engine default Service Account using the alpha command:
gcloud alpha compute --project=peya-data-ops-pro project-info set-default-service-account --service-account=<NEW-SA-ACCT-NAME-EMAIL>
Note: This command is currently in ALPHA and may change without notice. If this command fails with API permission errors despite specifying the right project, you may be trying to access an API with an invitation-only early access allowlist, as described here.
c) As a last option and as long as you don't have any other resources running in Compute Engine or you don't mind losing those resources, you can disable the Compute Engine Service following the steps here and then re-enable it following this guide, that will recreate the default SA and you will be able to complete the required process.
I am trying to launch a notebook instance in AI platform but getting this error:
You are missing at least one of the following required permissions:
Project
compute.instances.list
But for the current project within the role as defined by project owner this permission has already been given apart from other compute instance permissions.
But still gives the permission error.
Thanks for help in advance
The service account used to create a notebook instance in Google AI platform is the default Compute Engine service account which has the primitive roles/editor.
Permission: Compute Engine default service account
The Compute Engine default service account is created with the Cloud
IAM project editor role, but you can modify the service account's
roles to securely limit which Google APIs the service account can
access.
You can check that the roles/editor includes compute.instances.list :
gcloud iam roles describe roles/editor | grep compute.instances.list
For troubleshooting check:
If you have the default compute service account:
gcloud iam service-accounts list | grep compute#developer.gserviceaccount.com
gcloud iam service-accounts describe your-project-number-compute#developer.gserviceaccount.com
Check the roles of the default compute service account:
gcloud projects get-iam-policy your-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:your-project-number-compute#developer.gserviceaccount.com"
Assuming you are the owner of the project, you should be able to create a new notebook instance with the default compute engine service account.
~ gcloud container clusters create example-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/saleop-166407/zones/asia-northeast1-a'
This is the shell script I used to start a container cluster.
I failed with web console(using UI), gcloud sdk cli and google cloud shell.
It is saying something about permission, but I couldn't find any change I made.
So I created a new project and did the same thing then It worked. What is the problem?
Did you change the roles of your Compute Engine default service account in Console --> IAM/Admin --> IAM section, or for other accounts? It looks like your Compute account cannot use the compute API.
Make sure your Compute Engine default service account has "Editor" role on your project.
That's the only explanation I can think of, because when you create a new project, that project gets a brand new Compute Engine service account with correct permissions.