Sometimes after I run some command lines such as gcloud instances list
the output is shown after 1 or 2 minutes, rarely after 5 minutes.
When I tried to run gcloud instances ssh inst_name, this is console output I get:
ERROR: (gcloud.compute.ssh) There was a problem refreshing your current auth tokens: Unable to find the server at www.googleapis.com
Please run:
$ gcloud auth login
to obtain new credentials, or if you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Running either of those commands or both of them doesn't help.
Does someone know a workaround or root cause for my problem?
Related
I am trying to transfer a file from a Google Compute Engine VM instance to my local machine using gcloud scp. I am able to confirm that I am logged in to the Google Cloud account using:
gcloud config list
However when I execute the gcloud scp command, I see following error message:
ERROR: (gcloud.compute.scp) You do not currently have an active account selected.
Not sure why I am seeing the error even if I am logged in.
Here is how I am executing the command:
gcloud scp <instance_name>: <remote_file_path> .
Thanks in advance!
I am currently running 29 instances in each available regions on GCP. And I need all of the instances to have some python script file.
As I was getting tired to upload them manually through the console 29 times, I was wondering if there's a way to upload the script in only one instance, and copy them all over to 28 other instances with gcloud scp command?
Currently, I was trying the following:
sudo gcloud compute scp --zone='asia-east1-b' /home/file.txt instance-asia-east1:/home/
The code above is trying to scp "file.txt" over to the instance-asia-east1.
I included the sudo command as it was having some permission issues. But after adding the sudo, I get another error message:
root#000.000.000.00: Permission denied (publickey).
lost connection
ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1].
What can be the issue, and how can I resolve this?
You should avoid using sudo.
If you add --verbosity=debug to (any but in this case) gcloud compute ssh or gcloud compute scp command, you'll see that gcloud invokes your host's (probably /usr/bin) ssh and scp commands. It uses a private key that was generated by gcloud using your credentials (gcloud config get account or the default gcloud auth list).
gcloud compute scp \
${PWD}/${FILE} \
${INSTANCE}:. \
--project=${PROJECT} \
--zone=${ZONE} \
--verbosity=debug
Yielding:
DEBUG: Running [gcloud.compute.scp] with arguments: ...
...
DEBUG: Current SSH keys in project: ['...:ssh-rsa ... user#host']
DEBUG: Running command [/usr/bin/scp -i .../.ssh/google_compute_engine -o ...
INFO: Display format: "default"
DEBUG: SDK update checks are disabled.
NOTE /usr/bin/scp -i .../.ssh/google_compute_engine ...
When you run as sudo, even if you copy your credentialed user's google_compute_engine SSH keys (to e.g. /root/.ssh), the authenticated user won't match, unless you also duplicate the gcloud config...
I recommend you solve the permission issue that triggered your use of sudo.
I'm using gcloud and kubectl to handle my resources (Kubernetes, VM and so on). Everything worked find until I read some article that created a new service account and activate it via cloud. Something like this:
gcloud auth activate-service-account --key-file=path/to/key
The created service account has limited permissions to few resources. When I run commands, like:
kubectl --namespace production get pods
I'm getting back response like:
Error from server (Forbidden): pods is forbidden: User
"SA-USER#PROGECTNAME.iam.gserviceaccount.com"
cannot list resource "pods" in API group "" in the namespace
"production": requires one of ["container.pods.list"] permission(s).
The SA SA-USER#PROGECTNAME.iam.gserviceaccount.com is the service account that I created yesterday. For some reason, it took control on my default permissions and I'm locked out because this user almost has no permissions.
I tried to make the gcloud forget this service account without success. Things I tried:
Uninstall & Install of gcloud and kubectl
Remove the config directory ("~/.config/gcloud/")
gcloud auth login
All those tried was failed. I still getting the same message as above.
How I can make gcloud and kubectl forget this service account?
Thanks!
UPDATE for the new auth plugin:
Some time ago, gke adopted the new auth plugin architecture for kubernetes.
In the new plugin gke-gcloud-auth-plugin, the authentication cache is at
macOS: ~/.kube/gke_gcloud_auth_plugin_cache
(Please edit this answer to include locations in others operation systems.)
You can just delete that file.
There is a problem with the expiration of the authentication token used by kubectl.
When you choose a new user via gcloud and make a kubectl request, an authentication token is cached locally.
A workaround is to edit your ~/.kube/config and set a date in the past for the expiry field on the relevant user section.
You can perform a gcloud auth application-default login
You can also see the current configuration of your gcloud CLI by doing gcloud config list. You can change some default parameter with gcloud config set param_name param_value. For example (because you will use often it if you have several projects)
gcloud config set project MyProjectId
With these, you will be able to solve your issue
I'm currently experiencing inconsistency when trying to revoke my gcloud credentials after I'm done using my service account.
gcloud auth activate-service-account --key-file=mykey.json
{commands...}
gcloud auth revoke
At times the revoke command does work, but sometimes it (randomly?) fails with this error:
ERROR: gcloud crashed (TokenRevokeError): invalid_request
If you would like to report this issue, please run the following
command: gcloud feedback
To check gcloud for common problems, please run the following command:
gcloud info --run-diagnostics
When this happens, I can see that running gcloud auth list afterwards still lists the account, though it isn't marked as active.
While after a successful revoke, the account is not listed at all (makes sense, as it has been revoked and removed).
Did anybody experience this issue?
You should upgrade to the latest version of gcloud per #john-hanley's suggestion.
Please see the documentation for gcloud auth revoke.
It is not possible to revoke service account tokens.
The message you're receiving is unhelpful (although accurate, it is an invalid request) but you should not see the credentials listed after issuing the command and this may be addressed by upgrading.
I have a google cloud instance that has a program running which creates a file at the end of the run. Now the file that has been created needs to be retrieved to my local machine.
I tried the following commands as per this link. My command is as follows
gcloud compute scp root#<instance-name>:~/folder1/folder2/file_name.rds ~/Documents/
After entering the password, I get the following error.
Permission denied (publickey).
ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1].
I have set Compute Engine to Read Write. Is there anything else I have missed out? Thank you in advance!
Try to run on your command line first:
gcloud auth login
and then
gcloud beta auth application-default login
Log in with the google account owner of the project