[英]GCP - Cloud Composer 2 - Create operation on this environment failed
I am trying to create a default Composer 2 Instance on GCP and get the Errors:我试图在 GCP 上创建一个默认的 Composer 2 实例并得到错误:
CREATE operation on this environment failed 32 minutes ago with the following error message:
Composer Backend timed out. Currently running tasks are [stage: CP_COMPOSER_AGENT_RUNNING
description: "No agent response published."
...
or或者
CREATE operation on this environment failed 32 minutes ago with the following error message:
Environment couldn't be created, but no error was surfaced. This can be cause by a lack of
proper permissions. Check if this environment's service account ... .iam.gserviceaccount.com
has the 'roles/composer.worker' role and there is no firewall inhibiting internal
communications set.
I already tried to add the Composer Worker role to the service account and all other required roles (eg Cloud Composer v2 API Service Agent Extension) in https://cloud.google.com/composer/docs/composer-2/access-control (for public as well as for private, eventhough instance is public).我已经尝试在https://cloud.google.com/composer/docs/composer-2/access-control 中将Composer Worker 角色添加到服务帐户和所有其他必需的角色(例如 Cloud Composer v2 API Service Agent Extension) (对于公共和私有,尽管实例是公共的)。
I looked into the GKE instance and found the Pod composer-agent failing with:我查看了 GKE 实例,发现 Pod composer-agent 失败了:
Traceback (most recent call last): File "composer_agent.py", line 467, in <module> main() File "composer_agent.py", line 292, in main responses = pubsub_subscriber.pull() (...)
oauth2client.client.HttpAccessTokenRefreshError: Failed to retrieve
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/(...)
compute@developer.gserviceaccount.com/token from the Google Compute Enginemetadata service.
Response:
{'date': 'Thu, 17 Feb 2022 10:29:46 GMT', 'status': '403', 'content-length': '668', 'content-
type': 'text/plain; charset=utf-8', 'x-content-type-options': 'nosniff'}
So I assume there is still some permission issue but I can not figure out what, Composer 1 Instances can be created without a problem, as well for a different project Composer 2 Instances with the same permissions on the service accounts.所以我假设仍然存在一些权限问题,但我无法弄清楚是什么,可以毫无问题地创建 Composer 1 实例,以及对服务帐户具有相同权限的不同项目 Composer 2 实例。
I also tried to create different than default compute service account with the required permissions but also without success.我还尝试创建具有所需权限的不同于默认计算服务帐户,但也没有成功。 I also checked that the service account I am adding permissions to is actually the service account sending the request in the composer-agent and is sending the environment creation request to the GKE cluster.
我还检查了我要添加权限的服务帐户实际上是在 composer-agent 中发送请求的服务帐户,并且正在向 GKE 集群发送环境创建请求。
I hope anyone can help, who faced similar issues or knows more about the error occuring in composer-agent, thank you very much!希望哪位遇到过类似问题或者对composer-agent中出现的错误有比较了解的可以帮忙,万分感谢!
After being in contact with the Google Support Team, the solution was to manually enable the "IAM Service Account Credentials API".与 Google 支持团队联系后,解决方案是手动启用“IAM 服务帐户凭据 API”。 There was no issue in Service Account Rights or Firewall settings.
服务帐户权限或防火墙设置没有问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.