stackoom
  简体   繁体   中英

Permission compute.regions.get error in terraform google kubernetes engine

 原文  2020-03-19 22:47:41       kubernetes/ google-cloud-platform/ terraform/ google-kubernetes-engine

Question

I'm trying to use terraform-google-modules/kube.netes-engine/google//modules/beta-private-cluster module of version "~> 7.3" to create a cluster in region europe-west2 . But I keep getting error:

Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get' 
permission for 'projects/***/regions/europe-west2'., forbidden

The weird thing is that I'm trying to do that using user with Editor role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same. Could you please advice, where can be my mistake?

3 answers

solution1
 0  2020-03-20 18:39:44

Please check if your [id]@cloudservices.gserviceaccount.com service account has the editor role.

List all service accounts with gcloud projects get-iam-policy [project-id] command and look for the account. it should look similar to this:

- members:
  - serviceAccount:67993345594-compute@developer.gserviceaccount.com
  - serviceAccount:679934532594@cloudservices.gserviceaccount.com
  - serviceAccount:service-674567382594@containerregistry.iam.gserviceaccount.com
  - serviceAccount:test2-468@asdf.iam.gserviceaccount.com
  - serviceAccount:asdf@appspot.gserviceaccount.com
  role: roles/editor

Second from the top is the account you're looking for and the bottom line says "roles/editor" which is the correct situation.

If this account doesn't have this role you can grant it using command:

gcloud projects add-iam-policy-binding [project] / 
--member serviceAccount:[id]@cloudservices.gserviceaccount.com --role roles/editor

It's all described in the documentation .

Very similar issues were discussed on StackOverflow here and here .

solution2
 0 ACCPTED  2020-03-22 13:20:58

I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,

  • serviceAccount:service-${project-number}@compute-system.iam.gserviceaccount.com must be roles/compute.serviceAgent .

  • serviceAccount:service-${project-number}@container-engine-robot.iam.gserviceaccount.com must be roles/compute.serviceAgent .

To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.

solution3
 0  2023-01-16 07:24:43

I had the same problem after switching account in gcloud .

I solve it by running

gcloud auth application-default login

It sets application default credentials for Packer/Terraform to call Google APIs.

source: https://cloud.google.com/sdk/gcloud/reference/auth/application-default

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google Compute Engine: Required 'compute.zones.get' permission error Elastic APM Error | Google Kubernetes Engine `juju bootstrap google google-controller` yields a `googleapi: Error 403: Required 'compute.projects.get' permission` Terraform wants to replace Google compute engine if its start/stop scheduler is modified Why I get "RuntimeError: CUDA error: the launch timed out and was terminated" when using Google Cloud compute engine Create a Compute Engine with the internet access by using Terraform GCP Compute engine terraform no external ipv4 Installing Java 8 on a Google Compute Engine instance with apt-get Can you get a cluster of Google Compute Engine instances that are *physically* local? Google Compute Engine SSH from browser stopped working Error 13
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM