I am having real difficulty setting up ray auto-scaling on google cloud compute. I can get it to work on AWS no problem, but I keep running into the following error when running ray up:
googleapiclient.errors.HttpError: https://cloudresourcemanager.googleapis.com/v1/projects?alt=json returned "Service accounts cannot create projects without a parent.">
My project is part of an organization, so I don't understand where this is coming from, or why it would need to create a project in the first place. I have entered my project id in the yaml file like I normally do for AWS.
Thank you very much. I appreciate any help I can get!!
The error message referring to service account, together with the fact that the project already exists, suggests that the googlecloudapiclient used by Ray Autoscaler is authenticated for a service account that doesn't have access to the project.
If this is true, then here's what I believe happens. Typically, when running Ray GCP Autoscaler, it will first check if the project with the given id exists. In your case, this request returns "not found" because there's no project with the given id associated with the service account. Now, because the project did not exist, Ray will automatically try to create one for you. Typically, if we created a new GCP project with a user account (i.e. non-service account), the newly created project would be associated with the user account's default organization. Service accounts, however, must specify a parent organization explicitly when creating a new project. If we look at the ray.autoscaler.config._create_project function, we see that the arguments passed to the projects.create method omit the 'parent' argument, which explains why you see the error.
To verify if this is true (and hopefully fix the problem), you could change the account used for authenticating with the googlecloudapiclient. I believe that the credentials used for the googlecloudapiclient requests are the same as used by the Google Cloud SDK, so you should be able to configure the accounts using the gcloud auth login command.
I think the Ray Autoscaler could be improved by either allowing user to explicitly specify the parent organization when creating a new project, or at least by providing a more elaborate error message for this particular case.
I hope this fixes your problem. If it doesn't, and you believe that that it's a problem with the Autoscaler, don't hesitate to open an issue or feature request to the Ray Issues page!
Related
I was playing around with terraform to create an infrastructure for a couple of services on GCP. GCP organises all the infra in so called projects. I specified a project_id incrorrectly in terraform files(actually I set project_id to already existing in my GCP, but ptoject name was different). Terraform in plan phase was successful, but after apply it failed. Then I executed terraform destroy, set correct project_id(and name), executed terraform apply again, this time successfully. But when I opened the GCP console I saw that actually 2 projects were created in project list(one with correct name and id and another with some random name: smth like My Project 1234 as name and beaming-light-546562 as id). And now gcloud projects list command shows 3 projects(this random one, correct one and previously existing one).
The problem is that I can't remove that "random" project, neither from gcloud utility nor from gcp console. I get an error
<myuser_mail_address> does not have permission to access projects instance or poject doesn't exist
Also that random project is not linked to my billing account.
How can I remove that "random" project
EDIT
It seems strange that the project with id beaming-light-546562 can't be removed by me(the owner of an account) with reasons that I do not have permissions to do that. Also the name of an id: it is similar to technic docker is using for generating names of running containers. I do not recall that terraform has such a feature. Could it be gcp itself who generates such random names?
I tried to recreate the error i.e, I created a sample project(via console) and deleted the same sample project in cloud shell using this command
gcloud projects delete <project ID> and again tried to delete the same sample project in cloud shell and got this error message:
You can cross verify if the reason listed in the image i.e PROJECT_DELETE_INACTIVE is present in the output of your gcloud projects delete <project ID> command.This means that the project is inactive and the project becomes inactive when it's deleted.
From this document :
The project takes approximately 30-days for complete deletion, At the end of the 30-day period, the project and all its resources are deleted and cannot be recovered.
Edit:
It seems to be a known issue with GCP. Leaving “Google Groups” related to GCP is a fix to this issue. You can track this Public Issue for more information.
You might have been added into a project through a group, so it appears in the project list. However, you have not been granted permission to modify the IAM of that project, so you can't remove the group from the permission list.
As a workaround, you can leave "Google Groups" related to GCP and reload the GCP console webpage so that all your unknown/inaccessible projects will disappear from the projects list. You can find what groups you're a member of, using this Google Groups link.
NOTE : You can leave the groups in order to lose the access, but there could be a situation where your email is added to a single role/permission and you would not be able to remove yourself from the IAM list.
Our organization uses Google Cloud APIs for integrating Maps and other services in a number of websites.
We have often used the same API key, without creating a distinct Google Cloud project (and credentials) for each website/project.
We are trying to better organize our API usage, but we are facing an issue.
While we can consult the reports of our Billing account and see the quota for the unique API project used for every implementation, we cannot see and manage this project (it does not appear in the list) even though it seems to belong to the same organization. (EDIT: I am not sure that the organization id is the same, but the name of the organizazion appears as a prefix to the project name in the billing reports)
This project has been created years ago (and the person that created it appears not to have access to it either), but we need to access it to get a clear understanding of where and how APIs are used.
The connected APIs are still in use and working, so we assume the project exists.
Can someone point out the possible reasons why a project is not shown even though it belongs to an organization for which we have access as administrators?
Thank you in advance
In order to see a project in lists, you need the resourcemanager.projects.list IAM permission on the project and to get it's metadata, the resourcemanager.projects.get permission.
How did you find that it has the same organizationId? If you managed to get the metadata via gcloud projects describe, you are likely missing the list permission.
In any case, if the project is indeed part of the organization, an org admin should be able to use gcloud projects add-iam-policy-binding to add a new owner/editor.
There is a special case with Apps Scripts: Those create a hidden project.
If all fails, reach out to GCP Support. Keep in mind though that they will not be able to help you if the project is not within your organization (eg. created with an unrelated gmail.com account or similar)
I'm trying to create multiple projects inside my Organisation. My use case is:
1. I want to make an API call that creates a new project.
2. I want to create a new DialogFlow agent (chatbot).
Dialogflow API looks pretty straightforward. Since it's backend implementation, I am using service accounts to achieve this.
My problem is that when I'm trying to create a service account, it is always scoped to some project. I spent the whole day trying to give that service account all the access that I could find, but it's still giving me a Forbidden error.
Can someone explain to me if this is possible and if so - how should I configure it through the Cloud Console so that I can end up with a service account that creates projects (that can be scoped to some folder/project if it makes it easier)?
If the answer is yes - can I create multiple chatbots in one project? And what type of permissions do I need to achieve that?
Thanks!
my development team has been sparingly trying out Google Cloud Platform for about 10 months. Every member was using the same account to access GCP, say team#example.com. We created three projects under this account.
Starting in about July, we cannot see these projects in the GCP console anymore. Instead, there is one project named My First Project, which we have never created.
However, our original GCP projects still seem to exist, as we can still access for example some of the Google Cloud Functions via HTTP.
Therefore, I have the impression that the connection between our account and the projects has been lost.
OR
A second account with the same name has been accidentally created?
Additional curiosities:
Yesterday I tried to create a Google Cloud Identity account, using team#example.com. It did not work; when entering that address the input field showed an error like "Please use another email address. This is a private Google account." (It was actually in German, so I'm guessing the translation.)
When I go to accounts.google.com, the account selection screen offers team#example.com twice. No matter which entry I choose, I always end up in the GCP console with My First Project.
How can I recover my team's GCP projects?
Which Google support site may I consult to check on the account(s)?
Usually, there is a 1:1 mapping between a certain email address and a Google Account. However, this can be broken under certain situations - for example when creating / deleting / migrating G Suite or Cloud Identity accounts under the domain the email address uses.
If you hit such an edge case, there's not much you can do yourself. Reach out to GCP Support who should be able to resolve the issue for you.
Keep in mind that orphaned resources have a timer on them before they are deleted - so act quickly and do not rely on apps still responding being a sign that they will continue indefinitely.
when i'm trying to deploy firebase function from my local machine i'm getting this error.
functions: failed to create function dialogflowFirebaseFulfillment
HTTP Error: 400, Default service account 'project-id#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.
and the project that i'm trying to deploy is, https://github.com/actions-on-google/codelabs-nodejs/tree/master/level1-complete
It seems your service account is removed. You may want to check whether your firebase & actions on google projects are removed or not.
If they are not, check for service accounts on console.cloud.google.com and make sure all your accounts are same as you are trying to deploy. (firebase, dialogflow, app-engine etc.) Also, disabling and enabling the Cloud Functions API may help as mentioned in error.
I notice that your error has 'project-id#appspot.gserviceaccount.com'.
Shouldn't the project-id be your {project-id} from the google action that you created, and not the word project-id.