Cloud container clusters create `compute.networks.get` permission error

3
votes

I am trying to create a cluster with GKE. I have a project I have been using already.

When I run 

gcloud container clusters create cluster1

I get the following:

ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.

The same thing happens when I use the web UI. Both my service account and my user have owner roles.

I have tried the following to get the cluster create command to work:

  1. I tried adding a policy binding for the project for my existing service account:
gcloud projects add-iam-policy-binding <my-project> \
    --member serviceAccount:<my-user>@<my-project>.iam.gserviceaccount.com \
    --role  roles/compute.admin
  1. I read enabling the container api service was required

gcloud services enable container.googleapis.com

  1. Started over. I deleted the service account, created a new one and activated the creds with:
gcloud auth activate-service-account <my-user>@<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}
  1. I also tried authenticating with my account user:
gcloud auth login

None of these work and I can't create a cluster

3
google-cloud-platformcluster-computinggoogle-kubernetes-enginegcloudgoogle-cloud-iam
Are you using a shared VPC?marian.vladoi
1) Where are you trying to create a cluster? From your desktop (outside Google Cloud) or from the command line running in a Compute Engine instance? 2) gcloud auth login uses your user credentials ([email protected]). 3) You need both roles/compute.admin and roles/container.adminJohn Hanley
I assigned roles compute engine admin and kubernetes engine admin to my root user even though I have ownership of the project. I still cannot create a basic clustergordon macmillan

3 Answers

4
votes

I think I will answer my own question here. From service account docs

When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:

[email protected]

I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.

1
votes

Debug:

gcloud container subnets list-usable --project service-project --network-project shared-vpc-project

If you get warning in output:

WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED: 
Google Compute Engine: Required 'compute.projects.get' permission for 
'projects/shared-vpc-project'

It means your google managed gke service account in host project doesn't exist.

To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.

0
votes

I think you should set the compute engine service account permission:

 gcloud projects add-iam-policy-binding <my-project> \
--member [PROJECT_NUMBER][email protected] \
--role  roles/compute.admin