I am trying to create a Kubernetes cluster in Google Cloud Platform and I receive the following error when I try to create the cluster from the Web app:
An unknown error has occurred in Compute Engine: "EXTERNAL: Google
Compute Engine: Required 'compute.zones.get' permission for
'projects/my-project-198766/zones/us-west1-a'". Error code: "18"
When I use gcloud I receive this response:
(gcloud.container.clusters.create) ResponseError: code=403,
message=Google Compute Engine: Required 'compute.zones.get' permission
for 'projects/my-project-198766/zones/us-west1-a'
Please note that I have the Owner role and I can create VM instances without any issues.
Any ideas?
This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.
This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.
gcloud projects get-iam-policy [project-id]
From the list, you can check whether below service account has the editor permission or not.
[id]#cloudservices.gserviceaccount.com
To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.
Hope this helps.
in my case I deleted the service accounts / IAM's or whatever and that very same error message popped up, when I tried to create a kubernetes cluster.
I asked Google to recreate my service accounts, and they mentioned that you can recreate service accounts and their permissions simply by enabling them again. So, in my case I ran the following two commands in order to make kubernetes work again:
gcloud services enable compute
gcloud services enable container
Here is the link they gave me:
https://issuetracker.google.com/64671745#comment2
I think I got it. I tried to follow the advice from GitHub. The permissions I needed to set on my account (called blahblah-compute#developer.gserviceaccount.com) were:
roles/compute.instanceAdmin
roles/editor
roles/iam.serviceAccountUser
The last one seemed to be crucial.
For me recreating the service account with a new name from the console fixed the issue. I have only given the "Editor" role to the service account
I had accidently deleted the compute-service account. I had to follow all the steps mentioned above ie.
undelete the compute-service account
add the permission back to the service account - editor, serviceaccountuser, computeinstanceAdmin
Enable again compute and container services. Although these were not disabled, running gcloud services enable compute container, created some default service accounts for the compute robot such as service-#compute-system.iam.gserviceaccount.com and service-#container-engine-robot.iam.gserviceaccount.com
Hope this helps
As indicated by #Taher, that's most likely due to missing permissions for Google managed service accounts. If after checking the IAM policies for your project with gcloud projects get-iam-policy [project-id] you do not see the permissions listed, then you can add the required permissions by running the following:
project_id=[your-project-id]
project_number=$(gcloud projects describe $project_id --format='value(projectNumber)')
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#compute-system.iam.gserviceaccount.com" \
--role="roles/compute.serviceAgent"
gcloud projects add-iam-policy-binding $project_id \
--member="serviceAccount:service-$project_number#container-engine-robot.iam.gserviceaccount.com" \
--role="roles/container.serviceAgent"
The full list of Google managed service accounts (service agents) is available here.
Related
I want to run my google cloud server everyday on specific times. I set up an instance schedule for that but when i try to link my vm to the schedule it gives me the following error:
Compute Engine System service account service-390738840624#compute-system.iam.gserviceaccount.com needs to have [compute.instances.start] permissions applied in order to perform this operation.
Does anyone know how to solve this?
The service account service-390738840624#compute-system.iam.gserviceaccount.com does not have a role with the permission compute.instances.start.
The following IAM roles have the required permission:
roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
The following command will add the first role to the service account:
Replace $PROJECT_ID with your Project ID (not the project name).
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:service-390738840624#compute-system.iam.gserviceaccount.com \
--role roles/compute.instanceAdmin
Your account for which you are running the command, must have the privilege to grant/modify IAM roles on a service account. If you do not have the correct permissions, you will need to ask the Project Owner or Editor to perform this for you.
The CLI answer works but in case you dont use terminal here are the steps directly on the platform:
go to IAM
on the right side of the screen select "Include Google-provided role grants"
Find Principal that contain text "compute-system.iam.gserviceaccount.com"
edit (with little pen on the right)
from the popup shown select "+Add another role", select role "Compute Instance Admin" (can show beta or v1 in the brackets)
this fixed my issue
In order to complete the task, GCP is asking you to give the service account “service-390738840624#compute-system.iam.gserviceaccount.com” access to use “compute.instances.start” but the service account doesn't have the right permissions to execute the task.
When you set up an instance to run as a service account, you determine
the level of access the service account has by the IAM roles that you
grant to the service account. If the service account has no IAM roles,
then no API methods can be run by the service account on that
instance.
To grant, change, and revoke access to a single service account, please refer to this guide.
Be aware that to manage access to a service account, you need a role that includes the following permissions:
*iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy*
If you want to know which are the permission included in your account, please refer to this guide.
If you don't have the appropriate access to grant permissions, please refer to your system administrator.
To know more about compute engine roles and permissions, please follow this link.
If you wish to know more about services accounts, please follow this link.
To know more about the process of scheduling compute instances with Google Scheduler, please follow this link.
I have been following this documentation to set up an ESPv2 endpoint pretty successfully so far.
I am now up to the "Grant ESPv2 permission to call Service Management and Service Control" step, which tells me to run the following command:
gcloud projects add-iam-policy-binding PROJECT_NAME \
--member "serviceAccount:SERVICE_ACCOUNT" \
--role roles/servicemanagement.serviceController
Unlike in (most) previous steps, there is no clarification of how I might find what the value of SERVICE_ACCOUNT might be.
It simply says, "You can see the Cloud Run instance you deployed and the service account associated with it".
So, when I go to the instance that I deployed, I have to click on "SECURITY" under the recommendation column to see any information whatsoever about a service account. It says,
Cloud Run service cloud-run-cors-service in us-central1 is using the default Compute Engine service account. By default, this service account has broad IAM permissions.
Good. So I now know I'm using the default Compute Engine service account.
After searching for service account in the google cloud platform, I find an account called, "49...[numbers removed for security]-compute#developer.gserviceaccount.com". I try that in the
gcloud projects add-iam-policy-binding PROJECT_NAME \
--member "serviceAccount:SERVICE_ACCOUNT" \
--role roles/servicemanagement.serviceController
command from above and get:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Service account 49...-compute#developer.gserviceaccount.com does not exist.
I subsequently clicked on the account name and got more details. I tried using
The service account name ("Default compute service account") in the above command. Similar
INVALID_ARGUMENT: Service account
error.
Just the first part of the email address (49...-compute).
Similar
INVALID_ARGUMENT: Service account
error.
The Unique ID.
Similar
INVALID_ARGUMENT: Service account
error.
Does anyone know what I should actually use here??
Other pages in the documentation suggest that I might try:
PROJECT_NUMBER-compute#developer.gserviceaccount.com
as well, which was the first thing above that I tried.
Any help here is much appreciated!
Incidentally, if anyone from google that has the ability to improve the documentation in that section (or knows how to get in touch with somebody who can) is reading this, an instantiated example of the command as we see in earlier parts of the documentation would be SUPER helpful here!
I'm trying to build a flex-template image using a service account:
gcloud dataflow flex-template build "$TEMPLATE_PATH" \
--image-gcr-path "$TEMPLATE_IMAGE" \
--sdk-language "JAVA" \
--flex-template-base-image JAVA11 \
--metadata-file "metadata.json" \
--jar "target/XXX.jar" \
--env FLEX_TEMPLATE_JAVA_MAIN_CLASS="XXX"
The service account has the following roles:
"roles/appengine.appAdmin",
"roles/bigquery.admin",
"roles/cloudfunctions.admin",
"roles/cloudtasks.admin",
"roles/compute.viewer",
"roles/container.admin",
"roles/dataproc.admin",
"roles/iam.securityAdmin",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountUser",
"roles/iam.roleAdmin",
"roles/resourcemanager.projectIamAdmin",
"roles/pubsub.admin",
"roles/serviceusage.serviceUsageAdmin",
"roles/servicemanagement.admin",
"roles/spanner.admin",
"roles/storage.admin",
"roles/storage.objectAdmin",
"roles/firebase.admin",
"roles/cloudconfig.admin",
"roles/vpcaccess.admin",
"roles/compute.instanceAdmin.v1",
"roles/dataflow.admin",
"roles/dataflow.serviceAgent"
However, even with the dataflow.admin and dataflow.serviceAgent roles, my service account is still unable to perform this task.
The documentation https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates advises to grant the roles/owner role to the service account, but I'm hesitant to do that as this is meant to be part of a CI/CD pipeline and giving a service account an owner role doesn't really make sense to me unless I'm completely wrong.
Is there any way to circumvent this issue without granting the owner role to the service account?
I just ran into the exact same issue and spent a few hours figuring this out. We use terraform service account as well. As you mentioned there are 2 main issues: service account access and the build logs access.
By default, cloud build will use a default service account of form [project_number]#cloudbuild.gserviceaccount.com so you need to grant permissions to this service account to write to your gcs bucket backing the gcr container registry. I granted roles/storage.admin to my service account.
Like you mentioned, by default again, cloud build saves the logs at gs://[project_number].cloudbuild-logs.googleusercontent.com. This seems to be a hidden bucket in the project, at least I could not see it. In adddition, can't configure google_storage_bucket_iam_member for it, instead the recommendation as per this doc is to give roles/viewer at the project level to the service account running the gcloud dataflow ... command.
I was able to run the command successfully after the above changes.
When I am authenticating using service-account.json I am not able to access any projects, i.e. the command 'gcloud projects list' results in
Listed 0 items.
Setting gcloud project using the command 'gcloud config set project my-project' results in:
WARNING: You do not appear to have access to project [my-project] or it does not exist.
But this project is present in my service-account.json
I am trying to get my GKE cluster credentials to create a kubeconfig entry.
'gcloud container clusters get-credentials my-cluster --zone=us-central1-a'
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project/zones/us-central1-a/clusters/my -cluster".
When I log in to GCP using gcloud init and logging in with user account all these steps are giving successful results. But how should I authorise user account without opening browser. I cannot use '--console-only' flag as it still requires to copy-paste url and opening browser. I want to automate the full process of authenticating to user account by only using scripts
NOTE: The my-cluster GKE cluster was created under my-project and was created by me.
I suspect (!?) your service account has insufficient permissions (granted through roles).
To list projects (gcloud projects list), the service account must have (at least) resourcemanager.projects.get on (each of the projects) in the list. See:
https://cloud.google.com/resource-manager/docs/access-control-proj#permissions_and_roles
To retrieve cluster permissions, it must have container.clusters.get (see full list).
A good role that includes both is roles/container.clusterAdmin)
Service Accounts are challenging. They are both resources (particles) and identities (waves) and behave differently depending on context.
As resources, Service Accounts are created in (and owned) by a Project and may be granted permissions in any project (not just the owner).
As identities, Service Accounts may be granted roles that aggregate permissions to one of more methods. It is this step that I think you may be missing.
Google's IAM documentation is decent.
tl;dr: Cannot trigger an export with gcloud sql export sql ... on VM which always leads into a PERMISSION_DENIED even though I think that I have set all permissions for its Service Account.
The whole problem actually sounds relatively simple. I want to trigger an export of my Cloud SQL database in my Google Cloud Compute VM at certain times.
What I did so far:
Added the Cloud SQL Admin (just for the sake of testing) permission to the VMs service account in the IAM section.
Created and downloaded the service account key and used gcloud auth activate-service-account --key-file cert.json
Ran the following command:
gcloud sql export sql "${SQL_INSTANCE}" "gs://${BUCKET}/${FILENAME}" -d "${DATABASE}"
(this works without a problem with my own, personal account)
The command resulted in the following error:
ERROR: (gcloud.sql.export.sql) PERMISSION_DENIED: Request had insufficient authentication scopes.
What else I tried
I found this article from Google and used the Compute Service Account instead of creating a Cloud Function Service Account. The result is sadly the same.
You do not have the roles assigned to the service account that you think you have.
You need one of the following roles assigned to the service account:
roles/owner (Not recommended)
roles/viewer (Not recommended)
roles/cloudsql.admin (Not recommended unless required for other SQL operations)
roles/cloudsql.editor (Not recommended unless required for other SQL operations)
roles/cloudsql.viewer (Recommended)
Go to the Google Cloud Console -> Compute Engine.
Click on your VM instance. Scroll down and find the service account assigned to your VM instance. Copy the service account email address.
Run the following command (replace \ with ^ for Windows in the following command and specify your PROJECT ID (not PROJECT NAME) and the service account email address):
gcloud projects get-iam-policy <PROJECT_ID> \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:<COMPUTE_ENGINE_SERVICE_ACCOUNT>"
Double-check that the roles you require are present in the output.
To list your projects to obtain the PROJECT ID:
gcloud projects list
Note: Do not assign permissions directly to the service account. Assign permissions to the project granting the required role to the service account IAM member.
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member serviceAccount:<COMPUTE_ENGINE_SERVICE_ACCOUNT> \
--role roles/cloudsql.viewer