Looks like there's a bug.
Following official documentation:
https://cloud.google.com/compute/docs/instances/create-start-instance
After
gcloud compute instances create test-2
Recieved:
ERROR: (gcloud.compute.instances.create) Could not fetch resource:
- The resource '1045904521672-compute#developer.gserviceaccount.com' of type 'serviceAccount' was not found.
Being authorized correctly, role is set to Owner.
> gcloud auth list
returns
Credentialed Accounts
ACTIVE ACCOUNT
* **#gmail.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
However, an instance can be created with custom service account.
Any ideas?
Thank you in advance.
This seems similar to: Unable to create cluster on Dataproc after deleting default service account
Perhaps the answers there can help you out.
Related
I am trying to submit a build using this command in the gcloud CLI:
gcloud builds submit --config cloudbuild.yaml .
but it returns this error:
(gcloud.builds.submit) The user is forbidden from accessing the bucket
[fastapi-api_cloudbuild]. Please check your organization's policy or
if the user has the "serviceusage.services.use" permission
I checked in the IAM admin panel and it says that my account has the owner role and that i have most permissions, and i authenticated in the gcloud cli, but i still get said error, i havent tried much since i have no idea what i could try since i already have the highest role. thank you.
Have you set your project in the cli with gcloud config set project <project>?
Otherwise the answer from this thread might help (billing).
or this one with Storage Admin
I had a similar issues (caused by the change of the billing account), and I fixed it by disabling Google Cloud Build API and re-enabling.
I used this commands:
gcloud services disable cloudbuild.googleapis.com --project "my_project"
gcloud services enable cloudbuild.googleapis.com --project "my_project"
I am trying to create an end point for an API to be deployed into existing GKE cluster by following the instructions in Getting started with Cloud Endpoints for GKE with ESPv2
I clone the sample code in the repo and modified the content of openapi.yaml:
# [START swagger]
swagger: "2.0"
info:
description: "A simple Google Cloud Endpoints API example."
title: "Endpoints Example"
version: "1.0.0"
host: "my-api.endpoints.my-project.cloud.goog"
I then deployed it via the command:
endpoints/getting-started (master) $ gcloud endpoints services deploy openapi.yaml
Now I can see that it has been created:
$ gcloud endpoints services list
NAME TITLE
my-api.endpoints.my-project.cloud.goog
I also have postgreSQL service account:
$ gcloud iam service-accounts list
DISPLAY NAME EMAIL DISABLED
my-postgresql-service-account my-postgresql-service-acco#my-project.iam.gserviceaccount.com False
In the section Endpoint Service Configuration of documentation it says to add the role to the attached service account for the endpoint service as follows, but I get this error:
$ gcloud endpoints services add-iam-policy-binding my-api.endpoints.my-project.cloud.goog
--member serviceAccount:my-postgresql-service-acco#my-project.iam.gserviceaccount.com
--role roles/servicemanagement.serviceController
ERROR: (gcloud.endpoints.services.add-iam-policy-binding) User [myusername#mycompany.com] does not have permission to access services instance [my-api.endpoints.my-project.cloud.goog:getIamPolicy] (or it may not exist): No access to resource: services/my-api.my-project.cloud.goog
The previous lines show the service exits, I guess? Now I am not sure how to resolve this? What permissions do I need? who can give me permission and what permissions he should have? how can I check? Is there any other solution?
The issue got resolved after I was assigned the role of "Project_Admin". It was not ideal as it was giving too much permission to me. The role "roles/endpoints.portalAdmin" was also tried but did not help.
When I run this in cmd line:
gcloud builds submit --tag "gcr.io/<project id>/<cloudrun app name>"
I get this error:
ERROR: (gcloud.builds.submit) HTTPError 403: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>[service accoun name]#[project-id].iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>
Here are the roles I've assigned to the Service account (yes, its overkill, just trying to get it to work):
I've tried these solutions, but they haven't worked:
service account does not have storage.objects.get access for Google Cloud Storage
(gcloud.app.deploy) HTTPError 403: <account> does not have storage.objects.get access to the Google Cloud Storage object
What scopes / roles are required for a service account to be able to submit container builder jobs?
What am I doing wrong?
Hello I had the same issue. Solved it by adding the role "Viewer" to my service account as explained here : https://github.com/google-github-actions/setup-gcloud/issues/105
Could you please confirm that you are using the default service account to trigger your build? If you are using a different service account to trigger the build, use the similar role which your default service account has as well.
Make sure you have the following roles for the service account:
Cloud Build Service account
Service Account User
Cloud Run Admin
You can change the permissions from the Cloud Build Settings page.
Then try running your builds again.
Have you tried creating a new service with a prebuilt demo container from the web console like described here?
We got the same error ("... does not have storage.objects.get access ...") initially, but it worked once we created a first demo service using the Google Cloud Console.
I'm trying to use terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster module of version "~> 7.3" to create a cluster in region europe-west2. But I keep getting error:
Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get'
permission for 'projects/***/regions/europe-west2'., forbidden
The weird thing is that I'm trying to do that using user with Editor role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same.
Could you please advice, where can be my mistake?
Please check if your [id]#cloudservices.gserviceaccount.com service account has the editor role.
List all service accounts with gcloud projects get-iam-policy [project-id] command and look for the account. it should look similar to this:
- members:
- serviceAccount:67993345594-compute#developer.gserviceaccount.com
- serviceAccount:679934532594#cloudservices.gserviceaccount.com
- serviceAccount:service-674567382594#containerregistry.iam.gserviceaccount.com
- serviceAccount:test2-468#asdf.iam.gserviceaccount.com
- serviceAccount:asdf#appspot.gserviceaccount.com
role: roles/editor
Second from the top is the account you're looking for and the bottom line says "roles/editor" which is the correct situation.
If this account doesn't have this role you can grant it using command:
gcloud projects add-iam-policy-binding [project] /
--member serviceAccount:[id]#cloudservices.gserviceaccount.com --role roles/editor
It's all described in the documentation.
Very similar issues were discussed on StackOverflow here and here.
I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,
serviceAccount:service-${project-number}#compute-system.iam.gserviceaccount.com must be roles/compute.serviceAgent.
serviceAccount:service-${project-number}#container-engine-robot.iam.gserviceaccount.com must be roles/compute.serviceAgent.
To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.
I had the same problem after switching account in gcloud.
I solve it by running
gcloud auth application-default login
It sets application default credentials for Packer/Terraform to call Google APIs.
source: https://cloud.google.com/sdk/gcloud/reference/auth/application-default
I launched an instance with service level accounts enabled. For example it has storage-rw set. I verfied that the instance has those. Now whenever i run gsutil ls gs://my_bucket from within the instance I get the error: Failure: unauthorized_client.
gcloud auth list returns
Credentialed accounts:
- xxxx#developer.gserviceaccount.com (active)
I need to use gcloud sdk from an instance because i need more components other than the gcutil and gsutil.
So my question is how can I authorize gcloud to use the xxxx#developer.gserviceaccount.com account and thus the permissions only specified on the instance and not my personal user account which has full permissions to everything?
The gcloud CLI definitely handles Google Compute Engine service accounts. If you see it as "(active)" when you do $ gcloud auth list, that should be sufficient.
Two things can be going wrong here:
You are using the wrong gsutil.
When you install the Google Cloud SDK, it will create google-cloud-sdk/bin/gsutil, and THAT is the one you want to run. Do $ which gsutil to double check. If you're running google-cloud-sdk/platform/gsutil/gsutil, that's the wrong one, and it won't know about anything that gcloud can tell it.
The account doesn't have permissions to access the bucket you're trying to inspect. You'll have to ask the owner of the bucket to add it to the project that owns that bucket.
Source: Engineer for the Google Cloud SDK
See "Authenticating to Google Compute Engine" section in this doc: https://developers.google.com/compute/docs/gcutil/