Documentation
  • Getting Started
  • Creating a Product
    • Products Overview
    • Making a Helm Chart
      • Converting from docker-compose
      • Interpolated Values
      • Image Pull Secrets
      • Cluster Ingress
      • SSL Certificates
    • Setting up the Registry
      • Google Container Registry
  • Deploying a Product
    • Deployments Overview
    • Deploying on AWS
    • Deploying on GCP
    • Deploying on Azure (beta)
  • Debugging
    • GCP Permissions Errors
    • Volume Classes
Powered by GitBook
On this page
  • Missing Default Service Account
  • Related Missing Permissions
  1. Debugging

GCP Permissions Errors

PreviousDeploying on Azure (beta)NextVolume Classes

Last updated 4 years ago

Sometimes GCP does not behave the way we expect when setting up permissions. This is understandable -- GCP (and the other cloud providers) are extremely large distributed systems, and it is possible to get into unanticipated states. Below, we call out a few that we've encountered and describe how to remedy these situations.

If you run into any other issues that aren't covered below, please .

Missing Default Service Account

Spinning up a Kubernetes cluster requires the existence of a default service account to provision its nodepool. If your installation fails with errors that look like...

[PERMISSIONS_ERROR]: Instance '<instance name>' creation failed: Required '<permission>' permission for 'projects/<project-id>/zones/<zone>/instances/<instance name>' (when acting as '<project-id>@cloudservices.gserviceaccount.com')

...then one possible culprit is that one of the default service accounts is missing. To check whether the relevant service account is present, head to the and search for a member with the name Google APIs Service Agent. Note that its email should match the one that showed up in the [PERMISSIONS_ERROR]. This agent should have the role "Editor" (or roles/editor if you set roles programmatically).

If you encounter these permissions error, then the most likely outcome is that the service agent role does not exist. In this case, the remedy is simple -- add a new member to your project with the email that showed up in the [PERMISSIONS_ERROR] and set its role to "Editor".

When this is done, return to the Metamanagement interface and hit re-initialize the deployment. You will know that this problem has been remedied if after a couple minutes you see a new GKE cluster being initialized in the GCP console.

Related Missing Permissions

Note that the presence of the above error is likely to indicate that other permissions are incorrectly absent. Another account to check for is the Compute Engine default service account. If this role is not present on the , then you should add a new IAM member with email address <project number>-compute@developer.gserviceaccount.com and the "Editor" role (roles/editor if set programmatically). You can find the project number associated with a project at .

Without this role, the final installation of the vendor's service may fail or be unable to access other important resources.

email us
IAM console page
IAM console page
this link