I can't deploy despite having permissions on gcloud - deployment

When I try to deploy my project the following error appears:
ERROR: (gcloud.app.deploy) 403 Could not list bucket [page-example.com]: example#example.com does not have storage.objects.list access to page-example.com.

The solution I found was to update the gcloud components
with this command:
gcloud components update
Then log in again with your account.
gcloud auth login
With that you can deploy your web application.

Related

gcloud build requires "serviceusage.services.use", but i already have owner role

I am trying to submit a build using this command in the gcloud CLI:
gcloud builds submit --config cloudbuild.yaml .
but it returns this error:
(gcloud.builds.submit) The user is forbidden from accessing the bucket
[fastapi-api_cloudbuild]. Please check your organization's policy or
if the user has the "serviceusage.services.use" permission
I checked in the IAM admin panel and it says that my account has the owner role and that i have most permissions, and i authenticated in the gcloud cli, but i still get said error, i havent tried much since i have no idea what i could try since i already have the highest role. thank you.
Have you set your project in the cli with gcloud config set project <project>?
Otherwise the answer from this thread might help (billing).
or this one with Storage Admin
I had a similar issues (caused by the change of the billing account), and I fixed it by disabling Google Cloud Build API and re-enabling.
I used this commands:
gcloud services disable cloudbuild.googleapis.com --project "my_project"
gcloud services enable cloudbuild.googleapis.com --project "my_project"

Keep getting permissions error gcloud.container.clusters.get-credentials

I am trying to integrate CircleCi with gcloud Kubernetes engine.
I created a service account with Kubernetes Engine Developer and Storage Admin roles.
Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
This is an old thread, this is how this issue handled today in case using cloud build :
Granting Cloud Build access to GKE
To deploy the application in your Kubernetes cluster, Cloud Build needs the Kubernetes Engine Developer Identity and Access Management Role.
Get Project Number:
PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')"
Add IAM Policy bindings:
gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/container.developer
More info can be found here.
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account#<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
Step 1 : gcloud init
Step 2 : Select [2] Create a new configuration
Step 3 : Enter configuration name. Names start with a lower case letter and
contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account
Step 4 : Choose the account you would like to use to perform operations for
this configuration:[2] Log in with a new account
Step 5 : Do you want to continue (Y/n)? y
Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account
Step 7 : Copy the verification code provided by google after login and paste it in to the console.
Step 8 : Pick cloud project to use:
Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y
Step 10 : Please enter numeric choice or text value (must exactly match list item): 8
Your Google Cloud SDK is configured and ready to use!
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
In my case, these 2 steps solved my issue:
In the command,
gcloud container clusters get-credentials my-cluster-1 --zone=asia-south1-a --
project=thelab-240901
the --project should have the projectID value, not the project name
In the your travis account, go to your project repository -> more options -> settings -> Environment Variables. Now make sure you have only one set of encrypted_iv and encrypted_key environment variables as follows:
If you have encrypted different service accounts (json key files), this could add more than one set of encrypted_iv and encrypted_key environment variables. So, delete all those variables and freshly create the encrypted keys, may be by using travis encrypt-file --pro yourServiceAccountJSONFile.json --add
I had this problem using gcloud with my main owner account (!)
What fixed it was including --zone and --project params in the command to get the kubectl credentials.
I faced this issue with different scenarios, Listing it down below hope it will help someone.
1. If you did a fresh installation of google-cloud-sdk then you must login
with gcloud using the below command.
gcloud auth login
The above command will open ur browser and ask for login with your GCP account.
2. Sometimes provisioning is not reflected. Hence i revoke my provision and granted access (In this case my role is Owner) again. Then it worked.
I was getting the same error when trying to connect to my newly created cluster:
gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/foo-project/zones/europe-central2-a/clusters/foo-cluster".
I tried a few things:
I enabled Kuberentes API - no success
I added a key to service account and loged in using downloaded key:
gcloud auth activate-service-account --key-file=<path-to-the-downloaded-json-file>/foo-project-xxxx.json
Activated service account credentials for: [xxxx-compute#developer.gserviceaccount.com]
I run:
gcloud components update
However, I had a problem retriving data, all kubectl command were giving TLS handshake timeout, for example: kubectl get namespace was giving an error:
Unable to connect to the server: net/http: TLS handshake timeout
This is when I tried again:
gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>
and it worked
Fetching cluster endpoint and auth data.
kubeconfig entry generated for foo-project.

Could not find default credentials

I'm playing with Google container engine on gcloud. So after successfully finished gloud init I followed instructions and did:
gcloud container clusters get-credentials cluster-1 --zone europe-west1-c --project whatever
And then:
kubectl proxy
But I got the following error message:
error: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
I do see stuff in ~/.kube/config file so I'm not sure what went wrong. I have minikube also installed on the machine but I don't think that's a problem.
Use
gcloud auth application-default login
to login for application default creadentials (docs). The behavior for application default credentials has changed in gcloud since version 128.
Note that changing credentials via gcloud auth login or gcloud init or gcloud config set account MY_ACCOUNT will NOT affect application default credentials, they managed separately from gcloud credentials.

gcloud beta ml init-project -- Error: Project does not exist, or you do not have permission

I'm trying to get started with Google Machine Learning using these instructions: Getting Setup
When I run gcloud beta ml init-project I get
ERROR: (gcloud.beta.ml.init-project) Project [mnist1-151907] does not exist,
or you do not have permission to access it.
I'm running this command on Google Cloud's Ubuntu 16.04 virtual machine created under my projectID mnist1-151907 and I've given this machine access to all of Google Cloud's APIs.
The log ~/.config/gcloud/logs/2016.12.23/13.14.03.742050.log says
... "error": { "code": 403,
"message": Google Cloud Resource Manager API has not been used in project mnist1-151907 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=mnist1-151907 ...
I followed the log's instructions and the API is enabled, but I'm still getting the same error. Has anyone experienced this error or can offer a suggestion? Thank you.
I was receiving the same error after enabling the API. I had to play a little re-authenticating with the project the gcloud tool. i.e. gcloud init, gcloud auth revoke and gcloud auth login

kubectl access to Google Cloud Container Engine fails

In Google Cloud Platform I have a Container-Cluster with three running instances. I now want to connect from my terminal to be able to run kubectl commands. For this I ran the command
gcloud container clusters get-credentials cluster-1 --zone europe-west1-b --project project-id
I am using the real project name of course. This is the command shown by the dashboard when clicking on 'connect with the cluster'. The output of this command is:
Fetching cluster endpoint and auth data.
kubeconfig entry generated for cluster-1.
But when I run kubectlcommands afterwards like kubectl cluster-info I always get:
Unable to connect to the server: oauth2: cannot fetch token: 400 Bad Request
Response: {
"error" : "invalid_grant",
"error_description" : "Token has been revoked."
}
What am I missing here? gcloud commands like gcloud container clusters list work
I tried from a different machine at home, and there it was working after installing and setting up gcloud. I think that on my work machine there is still an oauth token stored with which I authenticated to a different google account I used for a test.
Edit: I got it running now. the problem was that I missed the second of the necessary calls:
gcloud auth login
gcloud auth application-default login