3
votes

I want to create GKE clusters by gcloud command. But I cannot solve this error:

$ gcloud container clusters create myproject --machine-type=n1-standard1# --zone=asia-northeast1-a

ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google 
Compute Engine: Required 'compute.networks.get' permission for 
'projects/myproject/global/networks/default'

cloud account linked to my gmail is owner of the project and relative powers, so I anticipate that there is no problem about permissions.

1
Does it work to run $ gcloud compute networks describe default --project myproject ?Kristen Tracey
Thanks for the comment! Yes. Your command return id, kind, name, and something else.pencilrocketman
Did it worked at the end?GalloCedrone

1 Answers

3
votes

When you create a cluster though $ gcloud container clusters create command you should keep in mind that there are hundreds of operations hidden.

When you have the owner rights then you are able to give the initial "Kick" to the process to make everything start. At this point Service accounts starts to enter in the process and they taking care of creating all the resource for you, automatically.

These service account have different powers and permissions (that can be customised) in order to limit the attack surface in case of one of them is compromise and to keep a sort of order, you will have for example ****[email protected] that is a Default compute engine service account.

When you enable different the API some of these service accounts can be created in order to make the components work as expected, but if one of them is deleted or modified you might face one of the error that you are experiencing.

Usually the easiest way to solve the issue is recreate the service account for example deleting it and disabling an enabling the corresponting API.

  • For example when you enable Kubernetes engine service-****@container-engine-robot-iam-gaservice account is created

In my test project for example I modified them removing the "Kubernetes Engine service Agent" permission and I modified as well the Google APIs service account setting it as a "project viewer" and I am facing permission issues both creating and deleting clusters.

You can navigate through IAM&Amin-->admin to check the status and which service accounts are at the moment authorised in your project.

  • Here you can find a more deep explanation of some default service accounts.

  • Here you can find a small guide regarding how to re-enable Kubernetes Engine's default service account:

"If you remove this role binding from the service account, the default service account becomes unbound from the project, which can prevent you from deploying applications and performing other cluster operations."