I'm trying to use terraform-google-modules/kube.netes-engine/google//modules/beta-private-cluster
module of version "~> 7.3" to create a cluster in region europe-west2
. But I keep getting error:
Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get'
permission for 'projects/***/regions/europe-west2'., forbidden
The weird thing is that I'm trying to do that using user with Editor
role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same. Could you please advice, where can be my mistake?
Please check if your [id]@cloudservices.gserviceaccount.com
service account has the editor role.
List all service accounts with gcloud projects get-iam-policy [project-id]
command and look for the account. it should look similar to this:
- members:
- serviceAccount:67993345594-compute@developer.gserviceaccount.com
- serviceAccount:679934532594@cloudservices.gserviceaccount.com
- serviceAccount:service-674567382594@containerregistry.iam.gserviceaccount.com
- serviceAccount:test2-468@asdf.iam.gserviceaccount.com
- serviceAccount:asdf@appspot.gserviceaccount.com
role: roles/editor
Second from the top is the account you're looking for and the bottom line says "roles/editor" which is the correct situation.
If this account doesn't have this role you can grant it using command:
gcloud projects add-iam-policy-binding [project] /
--member serviceAccount:[id]@cloudservices.gserviceaccount.com --role roles/editor
It's all described in the documentation .
Very similar issues were discussed on StackOverflow here and here .
I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,
serviceAccount:service-${project-number}@compute-system.iam.gserviceaccount.com
must be roles/compute.serviceAgent
.
serviceAccount:service-${project-number}@container-engine-robot.iam.gserviceaccount.com
must be roles/compute.serviceAgent
.
To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.
I had the same problem after switching account in gcloud
.
I solve it by running
gcloud auth application-default login
It sets application default credentials for Packer/Terraform to call Google APIs.
source: https://cloud.google.com/sdk/gcloud/reference/auth/application-default
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.