When creating a Dataproc cluster I have the following error message:
ERROR: (gcloud.dataproc.clusters.create) NOT_FOUND: Service Account not found: '[PROJECT_NUMBER]-compute#developer.gserviceaccount.com'
Same error when create from console or from gcloud CLI command. Anyone can help please? Many thanks.
As mentioned by John Hanley, this issue is being generated as Dataproc requires to use the Compute engine API default service account to create the cluster instances; however, if this account is not longer displayed within your IAM > Service Account console, it will be required to disable and enable the Compute Engine API in order to try to recreate it; otherwise, you can create a new project to recreate your environment.
On the other hand, in case you want to use a different service account for your Dataproc cluster, you can create a new service account and grant it with the required GCE and Dataproc roles; in this way, you can specify the service account name to use when creating your cluster.
gcloud dataproc clusters create <CLUSTER_NAME> --service-account=<SERVICE_ACCOUNT_NAME>
Related
I tried to deploy an OpenVPN Access Server to Google Compute Engines and received the following error message:
openvpn-access-server-1-vm: {"ResourceType":"compute.v1.instance","ResourceErrorCode":"EXTERNAL_RESOURCE_NOT_FOUND","ResourceErrorMessage":"The resource 'PROJECT_ID-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found."}
PROJECT_ID is just a placeholder for my own PROJECT_ID.
In the cloud console, I can't find the "compute engine default service account" (I think, I accidentally deleted it last year). In the log files, I found in 2020 it's ACCOUNT_ID, so I tried to undelete it with the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
I had no success, I received:
ERROR: (gcloud.beta.iam.service-accounts.undelete) NOT_FOUND: Not found; Not found AccountDataType for <numeric_id>
<numeric_id> was a 12-digit number.
I tried to disable and enable compute service to restore the default service account, but it wasn't successful, I received:
response:
'#type': type.googleapis.com/google.iam.admin.v1.ServiceAccount
serviceName: iam.googleapis.com
status:
code: 6
message: ALREADY_EXISTS
receiveTimestamp: '2021-08-05T06:45:55.798772716Z'
Because of this error, I tried to delete it, but this didn't work too.
Now I don't know what to do, to get the default service account back.
Is it still existing or not?
Why isn't it working?
Keep in mind, I'm talking about PROJECT_ID-compute#developer.gserviceaccount.com.
service-PROJECT_ID#compute-system.iam.gserviceaccount.com is existing and recreated each time I disable and enable the Compute Engine API again.
Thanks for helping.
Since the Service Account was deleted an year ago it cannot be undeleted using the following command,
gcloud beta iam service-accounts undelete ACCOUNT_ID
This only works for Service Accounts deleted fewer than 30 days ago. Undeleting a service account for more information.
Instead, we can create a new Service Account and grant an ‘Editor’ role to it. As a Default Compute Engine Service Account has the same role by default. Compute Engine default service account for more information.
Now, we can create a new Compute Engine VM using the new Service Account. Setting up a new instance to run as a service account for more information.
If we already have a running VM and the Service Account got deleted, As #John Hanley suggested, we can edit the VM instance in the Google Cloud Console and assign the new Service Account to the instance. Changing the service account and access scopes for an instance for more information.
To set the new Service Account as the Compute Engine Default Service Account on the project, we can use the following command,
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
Another workaround would be creating a new project and deploying our instance there.
i am trying to create kubernetes cluster in GCP but i am unable to create and getting following error "Google Compute Engine: Required 'compute.machineTypes.get' permission for 'projects/PROJECT_ID/zones/us-central1-a/machineTypes/e2-medium'".
And also getting zonal error as follows
"Google Compute Engine: Required 'compute.zones.get' permission for 'projects/PROJECT_ID/zones/us-central1-a'".
From the error I understand that it is permission issue.
In order to create a kubernetes cluster create a service account and assigned the editor role the it. Now, activate the service account in gcloud shell. Using the following command create a cluster:
gcloud container clusters create sample-cluster
If still problem persist, you need to grant the following permission to the service account.
roles/compute.instanceAdmin
roles/iam.serviceAccountUser
Yes, it is a permission issue. I have added "Kubernetes engine Admin" role to my user in IAM then i came to solve my issue to create a kubernetes cluster in GCP, Thanks for your suggestion.
i have accidently deleted my Service accounts on gcp that was created on the time of compute API enabling , now i disabled and enabled it many times but its not creating new Service accounts .
now i am getting this error :
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? YERROR: (gcloud.compute.instances.create) Could not fetch resource: - The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
deactivate the compute API
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? Y
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
To have the Compute Engine default service account back after its accidental deletion you must contact the Compute Engine team as it’s explained in the following documentation.
Meanwhile, if you want to keep working on that project, you can create another service account and associate it with the same role, for example, that the Compute Engine default service account had.
This role, named editor, is of the primitive type and you can find more about it here.
In this way, you will be able to create Compute Engine instances. Just follow this steps:
Set some variables;
zone=us-central1-b
PROJECT_NUMBER=$(gcloud projects describe $DEVSHELL_PROJECT_ID --format="value(projectNumber)")
sa_name=no-clone-$PROJECT_NUMBER-compute
Create a new service account and update project IAM policy by adding to it a binding between that service account and the primitive role explained above;
gcloud iam service-accounts create $sa_name --display-name="Work around deletion of Compute Engine default service account"
sa=$(gcloud iam service-accounts list --filter=$sa_name --format="value(email)")
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member="serviceAccount:$sa" --role="roles/editor"
Create a new instance with the newly-created service account and test it out;
gcloud compute instances create test01 --zone=$zone --quiet --service-account=$sa
gcloud compute ssh test01 --zone=$zone --command="cat /etc/os-release"
For more background in Identity and Access Management refer to this documentation.
Try using gcloud app repair:
gcloud beta app repair - restores required App Engine features to the current application
I am trying to provision a k8s cluster on Google Cloud Platform using gcloud
$ gcloud container clusters create my-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=400,
message=service account "xxxxxx-compute#developer.gserviceaccount.com" does not exist.
Any idea as to why this is error is occurring? I have been able to provision in the past w/o any issue until now.
Verify that the active account is your own account, and not a service account that lacks permission to create clusters.
Example command to check this and output:
$ gcloud auth list
Credentialed Accounts:
- xxxxx#developer.gserviceaccount.com
- user#example.com ACTIVE
If you don't see ACTIVE next to the expected account, then set it to the right account with:
$ gcloud config set account <correctaccountname>
Maybe you switched to the service account a while back and forgot about it?
I got the same error while creating a cluster using GKE. Earlier I was getting this error because I did not attach the service account (which needs to be created and assigned with a role having Kubernetes specific permissions).
Now, the further question you might have where to attach the service account, for this you need to go the Create Cluster --> Node Pool Section --> More Options --> (a new window will popup) --> security section --> In-Service account dropdown Choose the Service account.
Once you do it, then save and say create a cluster, hopefully you will not get the same error.
~ gcloud container clusters create example-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/saleop-166407/zones/asia-northeast1-a'
This is the shell script I used to start a container cluster.
I failed with web console(using UI), gcloud sdk cli and google cloud shell.
It is saying something about permission, but I couldn't find any change I made.
So I created a new project and did the same thing then It worked. What is the problem?
Did you change the roles of your Compute Engine default service account in Console --> IAM/Admin --> IAM section, or for other accounts? It looks like your Compute account cannot use the compute API.
Make sure your Compute Engine default service account has "Editor" role on your project.
That's the only explanation I can think of, because when you create a new project, that project gets a brand new Compute Engine service account with correct permissions.