I'm working on a series of Cloud Functions in one Google Cloud project and, for some reason, I suddenly get this error:
Deployment failure:
Missing necessary permission resourcemanager.projects.getIamPolicy for service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com on resource projects/la-cloud-functions. Please grant service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com the Cloud Functions Service Agent role. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=Cloud Functions Service Agent'
Besides the badly formatted error response (you can't have --role=Cloud Functions Service Agent - it should be --role=roles/cloudfunctions.serviceAgent), when I try to run the amended command:
gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=roles/cloudfunctions.serviceAgent
I get this error:
The requested URL <code>/v1/projects/la-cloud-functions/serviceAccounts/projects/la-cloud-functions:getIamPolicy?alt=json</code> was not found on this server.
Finally, trying to assign the Cloud Functions Server Agent role through the console gave me another surprise - the role is missing from the list, where it should be under Service Management:
I have tried to reset the service account by re-enabling the Cloud Functions API with this command:
gcloud services enable cloudfunctions.googleapis.com
But again, no success.
Anyone have any ideas on how to fix this problem and make the Cloud Functions Service Agent role available again?
TIA - Joe
Try the following steps to solve this:
Disable Cloud Functions API:
gcloud services disable cloudfunctions.googleapis.com --project la-cloud-functions
Wait about a minute for the disable to complete.
Delete the cloud functions member account using the CLI or using the GCP Console under IAM.
gcloud projects remove-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
Wait about a minute. Then verify that this member has been removed in the GCP Console under IAM.
Enable Cloud Functions API:
gcloud services enable cloudfunctions.googleapis.com --project la-cloud-functions
Go back to the GCP Console. You should find a new Google Cloud Functions Service Agent member.
Note:
You are using the wrong command to add cloudfunctions.serviceAgent. Here is the correct command:
gcloud projects add-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
Related
I am attempting to deploy a Cloud Run service from source from a GitLab CI pipeline. I can deploy it manually, with my own credentials, but am struggling to give the right credentials to the CI pipeline to get it to deploy.
These are the commands in my pipeline:
gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
gcloud run deploy api --source=./api/ --region=us-cental1
CLOUD_RUN_CREDENTIALS is a pipeline file variable that contains the key for a service account I have created for this purpose. The service account has the following roles:
Cloud Build Editor role
Artifact Registry Admin role
Storage Admin role
Cloud Run Admin role
Service Account User role
In the Cloud Build settings I have enabled Cloud Run Admin and Service Account User.
When I run this GitLab job, I get the following error:
$ gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
Activated service account credentials for: [XXXXXXXXXXX#XXXXXXXXXX.iam.gserviceaccount.com]
$ gcloud run deploy api --source=./api/ --region=us-cental1
ERROR: Error in retrieving repository from Artifact Registry.
ERROR: (gcloud.run.deploy) INVALID_ARGUMENT: Request contains an invalid argument.
Is this a permissions issue? What permissions do I need to give this service account to allow the deployment to succeed? If not, what am I doing wrong?
If you use the Build from Source feature. The Cloud Build Service Account is the one used to perform certain actions, like pulling and pushing images from Artifact Registry.
You have to grant the Cloud Build Service account (the one called PROJECT_NUMBER#cloudbuild.gserviceaccount.com) the required permissions.
Go to IAM, look for the Cloud Build Service Account and grant it the permissions you listed above. That should solve the issue.
The Service Account used from GitLab doesn't need all these permissions. Cloud Run Admin should be enough
Cloud Composer is not getting deleted properly with this error:
DELETE operation on this environment failed 4 days ago with the following error message:
RPC Skipped due to required preoperation not finished yet.
RPC Skipped due to required preoperation not finished yet.
here's the error screenshot:
Please, follow the below steps to delete environments resources manually:
Delete GKE cluster, that corresponds to environment
Delete the Google Storage bucket used by environment
Delete the related deployments with:
gcloud deployment-manager deployments delete <DEPLOYMENT_NAME> --delete-policy=ABANDON
Then try again to delete the Composer environments with:
gcloud composer environments delete <ENVIRONMENT_NAME> --location <LOCATION>
The problem you are facing could be also related with a misconfiguration with the Cloud Composer service account in your project. By default, Cloud Composer environments run as the Compute Engine default service account, but when you are using a custom service account, at a minimum, that service account requires the permissions that the composer.worker role provides to access resources in the Cloud Composer environment. Please refer to this documentation for further details about how to grant a role to a service account.
Please, try to add the policy binding for Cloud Composer API Service Agent role to the service account, so the command would be:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=<MEMBER> --role=roles/composer.serviceAgent
The member should be of the form user|group|serviceAccount:email or domain:domain (refer to documentation).
Then, please retry the action of remove your Composer environments. I hope you find the above pieces of information useful.
I am trying to create a cluster with GKE. I have a project I have been using already.
When I run
gcloud container clusters create cluster1
I get the following:
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.
The same thing happens when I use the web UI. Both my service account and my user have owner roles.
I have tried the following to get the cluster create command to work:
I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
--member serviceAccount:<my-user>#<my-project>.iam.gserviceaccount.com \
--role roles/compute.admin
I read enabling the container api service was required
gcloud services enable container.googleapis.com
Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>#<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
I also tried authenticating with my account user:
gcloud auth login
None of these work and I can't create a cluster
I think I will answer my own question here. From service account docs
When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.
Debug:
gcloud container subnets list-usable --project service-project --network-project shared-vpc-project
If you get warning in output:
WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED:
Google Compute Engine: Required 'compute.projects.get' permission for
'projects/shared-vpc-project'
It means your google managed gke service account in host project doesn't exist.
To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.
I think you should set the compute engine service account permission:
gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER]-compute#developer.gserviceaccount.com \
--role roles/compute.admin
I'm getting a permission error when trying to deploy an image to cloud run:
gcloud beta run deploy endpoints_proxy \
--image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
--allow-unauthenticated
This is the error:
ERROR: (gcloud.beta.run.deploy) User [email-goes-here] does not have permission to access namespace [project-id-goes-here] (or it may not exist): Cloud Run does not have permission to get access tokens for the default compute service account, 1088973916567-compute#developer.gserviceaccount.com. Please give Google Cloud Run Service Agent the permission iam.serviceAccounts.getAccessToken on the default compute service account.
My account has owner and editor permissions, I even tried attaching the Cloud Run Service Agent role.
I also tried adding these roles to the "default compute service account" listed in the error, didn't work.
The error message is very misleading, the error occurs because the Cloud Run Service Agent was missing.
After creating the following service account:
Name: service-<account-id>#serverless-robot-prod.iam.gserviceaccount.com
Role: Google Cloud Run Service Agent
The problem got solved. Looks like Cloud Run needs this service account to work, so don't ever delete it :)
You should enable permissions to the Cloud Build service account.
It won't work unless you do so.
Google Cloud Console > Cloud Build > Cloud Build Settings > enable access to the GCP services that you are using.
(see the images attached)
Cloud Build Panel
Cloud Build Panel - enable services that you want
Also, just make sure billing hasn't expired. When mine did, I got these opaque errors (such as this one) that didn't reference to billing in any way.
If the service-<project-id>#serverless-robot-prod.iam.gserviceaccount.com is not present in GCP console, just run this command:
gcloud projects add-iam-policy-binding --member=serviceAccount:service-<project-id>#serverless-robot-prod.iam.gserviceaccount.com --role=roles/run.serviceAgent <project-id>
I have a machine that needs to run the following gcloud command:
gcloud projects list --format=json
The output error that gives me:
ERROR: (gcloud.projects.list) PERMISSION_DENIED: Request had insufficient authentication scopes.
Is pretty obvious that the current configuration and account set for the machine do not have the permissions.
Funny that when I use gcloud compute instances list --project=<project_ID> --format=json
It gives me a list of the machines listed in the project I specify.
I enabled the Google Resource Manager API
I even created some service account credentials and activated them in the machine. Still the same error.
In the SDK documentation there is no reference on how to enable credentials to see other projects
Anyone had this issue before? I saw outdated questions whose solutions didn't work out for me.
Edit
I should mention that the machine in question is a GCE instance and there is no way (unless I install manually the SDK, which is a mess I am not going to get into) to update the SDK.
Cloud API access scopes are set manually and there is no mention of the "Resource Manager" and i can't seem to add or remove any new API Accesses
According to this document, gcloud projects list shows all the active projects were the account has the Owner, Editor or Viewer project level role. As long as the service account you activated in your instance has one of those roles in a gcp project, you should be able to run the command.
For example, from your cloud shell grant the viewer role to your service account:
gcloud projects add-iam-policy-binding <your_project_id> \
--member serviceAccount:<your_service_account> --role roles/viewer
Activate the service account in your instance using the json key file:
gcloud auth activate-service-account --key-file=/path/key.json
Run the projects list command:
gcloud projects list --format=json