> For the complete documentation index, see [llms.txt](https://docs.metamanagement.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.metamanagement.dev/debugging/gcp-permissions.md). # GCP Permissions Errors Sometimes GCP does not behave the way we expect when setting up permissions. This is understandable -- GCP (and the other cloud providers) are extremely large distributed systems, and it is possible to get into unanticipated states. Below, we call out a few that we've encountered and describe how to remedy these situations. {% hint style="warning" %} If you run into any other issues that aren't covered below, please [email us](mailto:docs@metamanagement.dev). {% endhint %} ## Missing Default Service Account Spinning up a Kubernetes cluster requires the existence of a default service account to provision its nodepool. If your installation fails with errors that look like... `[PERMISSIONS_ERROR]: Instance '' creation failed: Required '' permission for 'projects//zones//instances/' (when acting as '@cloudservices.gserviceaccount.com')` ...then one possible culprit is that one of the default service accounts is missing. To check whether the relevant service account is present, head to the [IAM console page](https://console.cloud.google.com/iam-admin/iam) and search for a member with the name `Google APIs Service Agent`. Note that its email should match the one that showed up in the `[PERMISSIONS_ERROR]`. This agent should have the role "Editor" (or `roles/editor` if you set roles programmatically). If you encounter these permissions error, then the most likely outcome is that the service agent role does not exist. In this case, the remedy is simple -- add a new member to your project with the email that showed up in the `[PERMISSIONS_ERROR]` and set its role to "Editor". When this is done, return to the Metamanagement interface and hit re-initialize the deployment. You will know that this problem has been remedied if after a couple minutes you see a new GKE cluster being initialized in the GCP console. ### Related Missing Permissions Note that the presence of the above error is likely to indicate that other permissions are incorrectly absent. Another account to check for is the `Compute Engine default service account`. If this role is not present on the [IAM console page](https://console.cloud.google.com/iam-admin/iam), then you should add a new IAM member with email address `-compute@developer.gserviceaccount.com` and the "Editor" role (`roles/editor` if set programmatically). You can find the project number associated with a project at [this link](https://console.cloud.google.com/iam-admin/settings). Without this role, the final installation of the vendor's service may fail or be unable to access other important resources. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.metamanagement.dev/debugging/gcp-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.