We Keep Coding

GCP: Compute Engine Default Service Account missing

I tried to deploy an OpenVPN Access Server to Google Compute Engines and received the following error message:
openvpn-access-server-1-vm: {"ResourceType":"compute.v1.instance","ResourceErrorCode":"EXTERNAL_RESOURCE_NOT_FOUND","ResourceErrorMessage":"The resource 'PROJECT_ID-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found."}
PROJECT_ID is just a placeholder for my own PROJECT_ID.
In the cloud console, I can't find the "compute engine default service account" (I think, I accidentally deleted it last year). In the log files, I found in 2020 it's ACCOUNT_ID, so I tried to undelete it with the following command:
gcloud beta iam service-accounts undelete ACCOUNT_ID
I had no success, I received:
ERROR: (gcloud.beta.iam.service-accounts.undelete) NOT_FOUND: Not found; Not found AccountDataType for <numeric_id>
<numeric_id> was a 12-digit number.
I tried to disable and enable compute service to restore the default service account, but it wasn't successful, I received:
response:
'#type': type.googleapis.com/google.iam.admin.v1.ServiceAccount
serviceName: iam.googleapis.com
status:
code: 6
message: ALREADY_EXISTS
receiveTimestamp: '2021-08-05T06:45:55.798772716Z'
Because of this error, I tried to delete it, but this didn't work too.
Now I don't know what to do, to get the default service account back.
Is it still existing or not?
Why isn't it working?
Keep in mind, I'm talking about PROJECT_ID-compute#developer.gserviceaccount.com.
service-PROJECT_ID#compute-system.iam.gserviceaccount.com is existing and recreated each time I disable and enable the Compute Engine API again.
Thanks for helping.

Since the Service Account was deleted an year ago it cannot be undeleted using the following command,
gcloud beta iam service-accounts undelete ACCOUNT_ID
This only works for Service Accounts deleted fewer than 30 days ago. Undeleting a service account for more information.
Instead, we can create a new Service Account and grant an ‘Editor’ role to it. As a Default Compute Engine Service Account has the same role by default. Compute Engine default service account for more information.
Now, we can create a new Compute Engine VM using the new Service Account. Setting up a new instance to run as a service account for more information.
If we already have a running VM and the Service Account got deleted, As #John Hanley suggested, we can edit the VM instance in the Google Cloud Console and assign the new Service Account to the instance. Changing the service account and access scopes for an instance for more information.
To set the new Service Account as the Compute Engine Default Service Account on the project, we can use the following command,
gcloud alpha compute project-info set-default-service-account
But since the command is in the ‘alpha’ launch stage, it is not available for everyone.
Another workaround would be creating a new project and deploying our instance there.

Google Cloud Platform - AI Platform Instance Issue

I am trying to launch a notebook instance in AI platform but getting this error:
You are missing at least one of the following required permissions:
Project
compute.instances.list
But for the current project within the role as defined by project owner this permission has already been given apart from other compute instance permissions.
But still gives the permission error.
Thanks for help in advance

The service account used to create a notebook instance in Google AI platform is the default Compute Engine service account which has the primitive roles/editor.
Permission: Compute Engine default service account
The Compute Engine default service account is created with the Cloud
IAM project editor role, but you can modify the service account's
roles to securely limit which Google APIs the service account can
access.
You can check that the roles/editor includes compute.instances.list :
gcloud iam roles describe roles/editor | grep compute.instances.list
For troubleshooting check:
If you have the default compute service account:
gcloud iam service-accounts list | grep compute#developer.gserviceaccount.com
gcloud iam service-accounts describe your-project-number-compute#developer.gserviceaccount.com
Check the roles of the default compute service account:
gcloud projects get-iam-policy your-project --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:your-project-number-compute#developer.gserviceaccount.com"
Assuming you are the owner of the project, you should be able to create a new notebook instance with the default compute engine service account.

i have accidently deleted my Service accounts on gcp

i have accidently deleted my Service accounts on gcp that was created on the time of compute API enabling , now i disabled and enabled it many times but its not creating new Service accounts .
now i am getting this error :
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? YERROR: (gcloud.compute.instances.create) Could not fetch resource: - The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.
deactivate the compute API
services-exploring-project)$ gcloud compute instances create mytest
Did you mean zone [asia-southeast1-b] for instance: [mytest] (Y/n)? Y
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource 'does_not_exist#invalid-project.iam.gserviceaccount.com' of type 'serviceAccount' was not found.

To have the Compute Engine default service account back after its accidental deletion you must contact the Compute Engine team as it’s explained in the following documentation.
Meanwhile, if you want to keep working on that project, you can create another service account and associate it with the same role, for example, that the Compute Engine default service account had.
This role, named editor, is of the primitive type and you can find more about it here.
In this way, you will be able to create Compute Engine instances. Just follow this steps:
Set some variables;
zone=us-central1-b
PROJECT_NUMBER=$(gcloud projects describe $DEVSHELL_PROJECT_ID --format="value(projectNumber)")
sa_name=no-clone-$PROJECT_NUMBER-compute
Create a new service account and update project IAM policy by adding to it a binding between that service account and the primitive role explained above;
gcloud iam service-accounts create $sa_name --display-name="Work around deletion of Compute Engine default service account"
sa=$(gcloud iam service-accounts list --filter=$sa_name --format="value(email)")
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member="serviceAccount:$sa" --role="roles/editor"
Create a new instance with the newly-created service account and test it out;
gcloud compute instances create test01 --zone=$zone --quiet --service-account=$sa
gcloud compute ssh test01 --zone=$zone --command="cat /etc/os-release"
For more background in Identity and Access Management refer to this documentation.

Try using gcloud app repair:
gcloud beta app repair - restores required App Engine features to the current application

GCP dataproc service account not_found

When creating a Dataproc cluster I have the following error message:
ERROR: (gcloud.dataproc.clusters.create) NOT_FOUND: Service Account not found: '[PROJECT_NUMBER]-compute#developer.gserviceaccount.com'
Same error when create from console or from gcloud CLI command. Anyone can help please? Many thanks.

As mentioned by John Hanley, this issue is being generated as Dataproc requires to use the Compute engine API default service account to create the cluster instances; however, if this account is not longer displayed within your IAM > Service Account console, it will be required to disable and enable the Compute Engine API in order to try to recreate it; otherwise, you can create a new project to recreate your environment.
On the other hand, in case you want to use a different service account for your Dataproc cluster, you can create a new service account and grant it with the required GCE and Dataproc roles; in this way, you can specify the service account name to use when creating your cluster.
gcloud dataproc clusters create <CLUSTER_NAME> --service-account=<SERVICE_ACCOUNT_NAME>

Unable to provision k8s from gcloud: "Account does not exist"

I am trying to provision a k8s cluster on Google Cloud Platform using gcloud
$ gcloud container clusters create my-cluster
ERROR: (gcloud.container.clusters.create) ResponseError: code=400,
message=service account "xxxxxx-compute#developer.gserviceaccount.com" does not exist.
Any idea as to why this is error is occurring? I have been able to provision in the past w/o any issue until now.

Verify that the active account is your own account, and not a service account that lacks permission to create clusters.
Example command to check this and output:
$ gcloud auth list
Credentialed Accounts:
- xxxxx#developer.gserviceaccount.com
- user#example.com ACTIVE
If you don't see ACTIVE next to the expected account, then set it to the right account with:
$ gcloud config set account <correctaccountname>
Maybe you switched to the service account a while back and forgot about it?

I got the same error while creating a cluster using GKE. Earlier I was getting this error because I did not attach the service account (which needs to be created and assigned with a role having Kubernetes specific permissions).
Now, the further question you might have where to attach the service account, for this you need to go the Create Cluster --> Node Pool Section --> More Options --> (a new window will popup) --> security section --> In-Service account dropdown Choose the Service account.
Once you do it, then save and say create a cluster, hopefully you will not get the same error.