(gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account “default”

Question

gcloud auth activate-service-account --key-file aysc.json
gcloud config set project abcxyz
gcloud config set compute/zone europe-west1-b
gcloud container clusters create wordpress --num-nodes=2

I'm running the above commands, on the last command I'm getting an error of:

ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default".

However this account is part of the service account actor group. I've also disabled and enabled the container API, which did not change the behavior. It was suggested by this question: https://serverfault.com/questions/780363/external-the-user-does-not-have-access-to-service-account-default

Answer 1

I saw this situation a few days ago. This error means that the service account you are are running gcloud with using cannot ActAs the service account the VMs will run as (default compute service account in this case).

I would sanity check the following:

• Does the service account in aync.json have the Service Account Actor role for the project abcxyz? (giving it Service Account Actor for just the default compute service account seems insufficient)
• Does the default compute service account exist in the project abcxyz? It typically looks like #######-compute@developer.gserviceaccount.com with Editor permissions to your project. If it does not exist, re-enabling container API should re-create it as the other question suggests.