0
votes

I'm trying to report Node.js errors to Google Error Reporting, from one of our kubernetes deployments running on a GCP/GKE cluster with RBAC. (i.e. permissions defined in a service account associated to the cluster)

const googleCloud = require('@google-cloud/error-reporting');
const googleCloudErrorReporting = new googleCloud.ErrorReporting();
googleCloudErrorReporting.report('[test] dummy error message');

This works only in certain environments:

  • it works when run on my laptop, using a service account that has the "Errors Writer" role
  • it works when running in my cluster as a K8S job, after having added the "Errors Writer" role to that cluster's service account
  • it causes the following error when called from my Node.js application running in one of my K8S deployments:

ERROR:@google-cloud/error-reporting: Encountered an error while attempting to transmit an error to the Stackdriver Error Reporting API.

Error: Request had insufficient authentication scopes.

It feels like the job did pick up the permission changes of the cluster's service account, whereas my deployment did not.

I did try to re-create the deployment to make it refresh its auth token, but the error is still happening...

Any ideas?

UPDATE: I ended up following Jérémie Girault's suggestion: create a service account and bind it to my deployment. It works!

1
What's your deployment definition? Does it use the same service account? How about your job spec? can you post it? - Rico
Both my k8s deployment and job do not specify any service account, so I'm assuming that they're using the one that is associated with my cluster. - Adrien Joly
On your last point, you've mentioned: "it causes the following error when called from my Node.js application running in one of my K8S deployments." Did you mean K8s deployment or GKE deployment? - Mahmoud Sharif
@MahmoudSharif We're only using K8S on Google, so yes, you can assume K8S = GKE in this question. - Adrien Joly
In your last update, you've said that you've followed Jérémie Girault's suggestion. Can you confirm if your issue is resolved? - Mahmoud Sharif

1 Answers

2
votes

The error message has to do with the access scopes set on the cluster when using the default service account. You must enable access to the appropriate API.

As you mentioned, creating a separate service account, providing it the appropriate IAM permissions and linking it to your cluster or workload will bypass this error as well.