GCP Permissions Errors

Sometimes GCP does not behave the way we expect when setting up permissions. This is understandable -- GCP (and the other cloud providers) are extremely large distributed systems, and it is possible to get into unanticipated states. Below, we call out a few that we've encountered and describe how to remedy these situations.

If you run into any other issues that aren't covered below, please email us.

Missing Default Service Account

Spinning up a Kubernetes cluster requires the existence of a default service account to provision its nodepool. If your installation fails with errors that look like...

[PERMISSIONS_ERROR]: Instance '<instance name>' creation failed: Required '<permission>' permission for 'projects/<project-id>/zones/<zone>/instances/<instance name>' (when acting as '<project-id>@cloudservices.gserviceaccount.com')

...then one possible culprit is that one of the default service accounts is missing. To check whether the relevant service account is present, head to the IAM console page and search for a member with the name Google APIs Service Agent. Note that its email should match the one that showed up in the [PERMISSIONS_ERROR]. This agent should have the role "Editor" (or roles/editor if you set roles programmatically).

If you encounter these permissions error, then the most likely outcome is that the service agent role does not exist. In this case, the remedy is simple -- add a new member to your project with the email that showed up in the [PERMISSIONS_ERROR] and set its role to "Editor".

When this is done, return to the Metamanagement interface and hit re-initialize the deployment. You will know that this problem has been remedied if after a couple minutes you see a new GKE cluster being initialized in the GCP console.

Related Missing Permissions

Note that the presence of the above error is likely to indicate that other permissions are incorrectly absent. Another account to check for is the Compute Engine default service account. If this role is not present on the IAM console page, then you should add a new IAM member with email address <project number>[email protected] and the "Editor" role (roles/editor if set programmatically). You can find the project number associated with a project at this link.

Without this role, the final installation of the vendor's service may fail or be unable to access other important resources.

PreviousDeploying on Azure (beta)NextVolume Classes

Last updated