使用 GCP 调试器但出现权限错误

Question

I add @google-cloud/debug-agent on my nodejs project which is deployed on GKE.
But I got error：

restify listening to http://[::]:80
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission

I have checked my GKE have the debug permission. I don't know why the service didn't have permission.

Here is the code I define on my index.ts

import * as tracer from '@google-cloud/trace-agent';
tracer.start();
import * as debug from '@google-cloud/debug-agent';
debug.start();

Answer 1

This issue can be resolved by doing the following:

1 - Create a new Cluster with these permissions enabled (ie Cloud Debugger/ Cloud Platform 'Enabled') and with the required scopes. [1]

Example:

$ gcloud container clusters create example-cluster-name --scopes https://www.googleapis.com/auth/cloud_debugger --zone

2- You can use the same YAML config files you used to deploy your original workloads in the new cluster. You must make sure you have the required scopes for this to work.

You can review how authentication and scopes work using [2] [3] .

Answer 2

I found the issue is caused by workload identity, so I just close this feature to fix this issue.

Because I select to launch the workload identity feature. Every pod which needs to connect GCP service will need to create a service account for these pods. Otherwise, the permission will be blocked.

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity