I have created project in GCP. Then i create service account with ComputeAdmin role. Then i enable "Compute Engine API" for project.
But can't work with instances:
#gcloud compute instances list
ERROR: (gcloud.compute.instances.list) Some requests did not succeed: - Required 'compute.zones.list'
permission for 'projects/someproject'
what am I doing wrong ?
Edited
from service account:
ERROR: (gcloud.projects.get-iam-policy) User
[cloud66#project_id.iam.gserviceaccount.com] does not have permission
to access project [project_id:getIamPolicy] (or it may not exist): The
caller does not have permission
When i switch to main google account:
$ gcloud projects get-iam-policy project_id bindings:
members:
serviceAccount:cloud66#project_id.iam.gserviceaccount.com
role: roles/compute.admin
members:
serviceAccount:service-855312803173#compute-system.iam.gserviceaccount.com
role: roles/compute.serviceAgent
members:
serviceAccount:855312803173-compute#developer.gserviceaccount.com
serviceAccount:855312803173#cloudservices.gserviceaccount.com
role: roles/editor
members:
user:my_google_user role: roles/owner
From Logs view:
2020-01-28 16:46:30.932 EET Compute Engine list zones
cloud66#project_id.iam.gserviceaccount.com PERMISSION_DENIED
code: 7
message: "PERMISSION_DENIED"
Have a look at the documentation first. Usually such error occurs if your service account doesn't have enough permissions. In this case, you should check available roles, search there for required permission like compute.zones. and add it to your service account as it described here. For example it could be Compute Instance Admin (v1) role.
EDIT It look like Compute Admin role should work for you. To be sure, check granted roles in your project with command:
gcloud projects get-iam-policy YOUR_PROJECT_ID
If want to use your service account with Cloud API from some application have a look at this instructions.
EDIT2 Try to check your service account and key from 3rd place (like some linux desktop or server) as it described in the documentation.
The first time I created a service account "cloud66" in the Google test period. Most likely, this affected the access rights. Then I switched billing from a test period to a paid one. I deleted and recreated the cloud66 service account in the "APIs & Services -> Credentials" section. But there was an access policy for "cloud66" with the role of "ComputeAdmin" in the "IAM" section. When I deleted the access policy from the "IAM" section and recreated the service account, the problem was resolved.
Related
I tried openshift redhat k8s distro and now there are 2 projects that i need to delete. I can only login as user 'erjcan', this is my primary acc and it seems not to be allowed to do admin actions.
The 'delete button' is inactive in gui console, i tried to create a role for myself but can't.
I tried to create admin-like role and assume it as a user, but it is not allowed either.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: all-stuff
namespace: erjcan-stage
rules:
- apiGroups:
- ''
resources:
- '*'
verbs:
- '*'
This code above gives me RBAC not allowed error:
An error occurred
roles.rbac.authorization.k8s.io "all-stuff" is forbidden: user "erjcan"
(groups=["system:authenticated:oauth" "system:authenticated"]) is
attempting to grant RBAC permissions
not currently held: {APIGroups:[""], Resources:["*"],
Verbs:["*"]}
I tried to delete via cli, but i can only login as erjcan user.
Logged into "https://api.sandbox-m2.ll9k.p1.openshiftapps.com:6443" as "erjcan" using the token provided.
You have access to the following projects and can switch between them with 'oc project <projectname>':
erjcan-dev
* erjcan-stage
Using project "erjcan-stage".
bash-4.4 ~ $
bash-4.4 ~ $ oc delete project erjan-dev
Error from server (Forbidden): projects.project.openshift.io "erjan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjan-dev"
bash-4.4 ~ $ oc delete project erjcan-dev
Error from server (Forbidden): projects.project.openshift.io "erjcan-dev" is forbidden: User "erjcan" cannot delete resource "projects" in API group "project.openshift.io" in the namespace "erjcan-dev"
How to delete a project in redhat openshift gui console?
You appear to be talking about using Red Hat's developer sandbox. Which, indeed, does not allow you to delete projects. There's no way around that: RBAC is specifically set up to not allow you to create or delete projects.
You don't say why you need to delete the projects. They will go away eventually do to inactivity. But, if you just want a clean slate, or just need to remove what you have inside that project you do have permission to delete everything in the project (just not the project itself).
oc delete all --all will remove everything inside the current project. Obviously use that command with strict care: there is no confirmation or warning. (BTW, the first "all" is saying all types of objects: pods/deployments/routes/etc, the second --all is saying "yes, I'm deliberately not providing a filter or any other subset, I really mean delete all of the objects I'm specifying".
Similarly, the following two commands should clean up both of your projects. (Although they will still exist.)
oc delete all --all -n erjcan-stage
oc delete all --all -n erjcan-dev
I am trying to deploy code from this repo:
https://github.com/anishkny/puppeteer-on-cloud-functions
in Google Cloud Build. My cloudbuild.yaml file contents are:
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
I have given the following roles to my Cloud Build Service account (****#cloudbuild.gserviceaccount.com):
Cloud Build Service Account
Cloud Functions Developer
Yet, in my Cloud Build log I see the following error:
starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"
FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][ 0.0 B/ 835.0 B]
/ [1 files][ 835.0 B/ 835.0 B]
Operation completed over 1 objects/835.0 B.
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1
What am I missing?
It would appear that the permissions changed when (perhaps) Cloud Functions went GA. Another customer raised this issue today and I recalled your question.
The Cloud Build robot (${NUM}#cloudbuild.gserviceaccount.com) additionally needs to be a serviceAccountUser of the ${PROJECT-ID}#appspot.gserviceaccount.com account:
NB While the Cloud Build robot local part is the project number (${NUM}), the appspot robot local part is the project ID (${PROJECT})
Please try:
PROJECT=[[YOUR-PROJECT-ID]]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
Let me know!
I struggled with this too after reading quite a bit of documentation. A combination of the above answers got me on the right track. Basically, something like the following is needed:
PROJECT=[PROJECT-NAME]
NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}#[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
--member='serviceAccount:service-${NUM}#gcf-admin-robot.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
Also, I added the "Cloud Functions Developer" role to my #cloudbuild.gserviceaccount.com account via the IAM Console.
According to Cloud Build documentation, for Cloud Functions you have to grant the "Project Editor" role to your service account.
But, Cloud Functions documentation states that alternatively to using the Project Editor role, you can use "the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role". Regarding Service Accounts, it indicates to have "the CloudFunctions.ServiceAgent role on your project" and to "have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function".
Due to those considerations, my understanding is that the documentation omitted to specify all the roles your service account would need and went directly to indicate to grant the Project Editor role.
You have to update Service Account permissions on Cloud Build settings page.
Here is instructions https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#fully-managed
You just have to set the status of the Cloud Run Admin role to ENABLED on that page:
start your cloud build with auth
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['auth', 'activate-service-account', 'xoxox#xoxo-dev.iam.gserviceaccount.com', '--key-file=account.json', '--project=rabbito-dev']
and then simply your code deployment on cloud function
- name: 'gcr.io/cloud-builders/gcloud'
args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']
Please add 'Cloud Functions Service Agent' role to your service account alongside 'Cloud Functions Developer'.
I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles:
Custom Compute Image User + Deletion rights
Compute Admin
Compute Instance Admin (beta)
Kubernetes Engine Developer
Logs Writer
Logs Viewer
Pub/Sub Editor
Source Repository Reader
Storage Admin
Unfortunately, when I ssh into this cronjob runner instance and then run:
sudo gcloud compute --project {REDACTED} instances create e-latest \
--zone {REDACTED} --machine-type n1-highmem-8 --subnet default \
--maintenance-policy TERMINATE \
--scopes https://www.googleapis.com/auth/cloud-platform \
--boot-disk-size 200 \
--boot-disk-type pd-standard --boot-disk-device-name e-latest \
--image {REDACTED} --image-project {REDACTED} \
--service-account NAME_OF_SERVICE_ACCOUNT \
--accelerator type=nvidia-tesla-p100,count=1 --min-cpu-platform Automatic
I get the following error:
The user does not have access to service account {NAME_OF_SERVICE_ACCOUNT}. User: {NAME_OF_SERVICE_ACCOUNT} . Ask a project owner to grant you the iam.serviceAccountUser role on the service account.
Is there some other privilege besides compute instance admin that I need to be able to create instances with my instance?
Further notes: (1) when I try to not specify --service-account the error is the same except that the service account my user doesn't have access to is the default '51958873628-compute#developer.gserviceaccount.com'.
(2) adding/removing sudo doesn't change anything
Creating an instance that uses a service account requires you have the compute.instances.setServiceAccount permission on that service account. To make this work, grant the iam.serviceAccountUser role to your service account (either on the entire project or on the specific service account you want to be able to create instances with).
Find out who you are first
if you are using Web UI: what email address did you use to login?
if you are using local gcloud or terraform: find the json file that contains your credentials for gcloud (often named similarly to myproject*.json) and see if it contains the email: grep client_email myproject*.json
GCP IAM change
Go to https://console.cloud.google.com
Go to IAM
Find your email address
Member -> Edit -> Add Another Role -> type in the role name Service Account User -> Add
(You can narrow it down with a Condition, but lets keep it simple for a while).
Make sure that NAME_OF_SERVICE_ACCOUNT is service account from current project.
If you change project ID, and don't change NAME_OF_SERVICE_ACCOUNT, then you will encounter this error.
This can be checked on Google Console -> IAM & Admin -> IAM.
Then look for service name ....-compute#developer.gserviceaccount.com and check if numbers at the beginning are correct. Each project will have different numbers in this service name.
I cannot create a virtual machines in GCE.. While creating it is showing the error message, i have attached my screen-shot of error message.. i will briefly explain what i have done..
--> I have deleted my compute engine default service account from my service account list.. later i created new service account..
--> While creating virtual machines i selected newly created service account, vm creating was failed but the error shows the deleted service account id is not found under service account..
--> While creating vm's it is referring my deleted service account id..
Now what i need to do? Is there is any solution to reactivate my Compute Engine default service account..
Completely iam struck now i cannot create new vms and kubernetes.
To restore your google compute default service account, run the following gcloud command within your project:
gcloud services enable compute
In previous versions the command was known to be:
gcloud service-management enable compute.googleapis.com
As stated in this issue: https://issuetracker.google.com/issues/69612457
You can now "undelete" service accounts by doing a curl request as below:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-length: 0" "https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID:undelete"
SERVICE_ACCOUNT_ID is the id of the account you want to recover
You can get a list of service accounts by running:
gcloud logging read "resource.type=service_account" --freshness=10y
Reference:
https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting_a_service_account
There are two default service accounts and I am not sure which one you are referring to:
Google API service account, in your case it is called: 933144605699#cloudservices.gserviceaccount.com. It is a special service account. It is always created but never listed in gcloud or the web console. It is intended to be used by some of the internal Google processes on user's behalf. GKE may be one of the services that uses this account (I am not sure).
It is impossible to delete this account, the only thing you could do is to remove it from any roles on the project. By default it is an Editor. You can add it back any time.
Default service account: 933144605699-compute#developer.gserviceaccount.com. This is a normal service account, which you may delete.
In the error message you pasted there is a different service account name, is it the new one you created? If this is the case, you might only need to go to IAM settings on the web console and add your user to service account actor. Take a look at this manual page: https://cloud.google.com/compute/docs/access/iam#the_serviceaccountactor_role
First you need to find the removed SERVICE_ACCOUNT_ID. Using Logging advanced queries is:
resource.type = "service_account"
protoPayload.authorizationInfo.permission = "iam.serviceAccounts.delete"
Example here:
==> unique_id value is SERVICE_ACCOUNT_ID
Use the API provided by #sherief-el-feky :
curl -X POST -H "Authorization: Bearer $ (gcloud auth print-access-token)" -H "Content-length: 0" https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID : undelete "
Logging advanced queries: https://cloud.google.com/logging/docs/view/advanced-queries
As of Feb 2022, use
gcloud beta iam service-accounts undelete <ACCOUNT ID>
ACCOUNT ID is the 21 digit unique id (uid) which last part of the deleted service account.
For example,
deleted:serviceAccount:abc-project#kubeflow-ml.iam.gserviceaccount.com?uid=123451234512345123451
uid is the last part of the above service account.
I am following the tutorial on
https://cloud.google.com/datastore/docs/getstarted/start_nodejs/
trying to use datastore from my Compute Engine project.
Step 2 in the tutorial mentioned I do not have to create new service account credentials when running from Compute Engine.
I run the sample with:
node test.js abc-test-123
where abc-test-123 is my Project Id and that project have enabled all cloud API access including DataStore API.
After uploaded the code and executed the sample, I got the following error:
Adams: { 'rpc error': { [Error: Invalid Credentials] code: 401,
errors: [ [Object] ] } }
Update:
I did a workaround by changing the default sample code to use the JWT credential way (with a generated .json key file) and things are working now.
Update 2:
This is the scope config when I run
gcloud compute instances describe abc-test-123
And the result:
serviceAccounts:
scopes:
- https://www.googleapis.com/auth/cloud-platform
According to the doc:
You can set scopes only when you create a new instance, and cannot
change or expand the list of scopes for existing instances. For
simplicity, you can choose to enable full access to all Google Cloud
Platform APIs with the https://www.googleapis.com/auth/cloud-platform
scope.
I still welcome any answer about why the original code not work in my case~
Thanks for reading
This most likely means that when you created the instance, you didn't specify the right scopes (datastore and userinfo-email according to the tutorial). You can check that by executing the following command:
gcloud compute instances describe <instance>
Look for serviceAccounts/scopes in the output.
There are 2 way to create an instance with right credential:
gcloud compute instances create $INSTANCE_NAME --scopes datastore,userinfo-email
Using web: on Access & Setting Enable User Info & Datastore