I was using gcloud
with a service account to try to figure out why my API Gateway endpoint didn't work when I ran into another problem. First I ran this export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential/fils/PROJECTNAME-hash.json
. Then I ran gcloud services list --available
and I got this in my terminal:
ERROR: (gcloud.services.list) User [<SERVICE ACCOUNT NAME>@<MY PROJECT NAME>.iam.gserviceaccount.com] does not have permission to access projects instance [<MY PROJECT NAME>] (or it may not exist): Permission denied to list services for consumer container [projects/<MY PROJECT ID>]
Help Token: <WHAT LOOKS LIKE AN API KEY>
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.services.list&resource=projects/<MY PROJECT NAME>
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
permission: serviceusage.services.list
resource: projects/<MY PROJECT NAME>
service: cloudresourcemanager.googleapis.com
reason: AUTH_PERMISSION_DENIED
I believe I have the correct permissions enabled in my service account:
So why am I getting this error and how do I get gcloud services list --available
to work with the selected service account?
This problem seemed to stem from the fact that I needed to set the service account to have the role of serviceusage.serviceUsageViewer
. In order to do that I need to run the add-iam-policy-binding
command but this command needs to be run with an account that has account owner/editor permissions.
Step 1 was to switch the account in gcloud to the master gmail account with which I signed up for GCP services.
I set my gcloud "account" to my master Gmail account with gcloud config set account <MASTER GMAIL ACCOUNT>
. Then I ran:
gcloud projects add-iam-policy-binding <PROJECT ID> \
--member "serviceAccount:<SERVICE ACCOUNT>@<PROJECT ID>.iam.gserviceaccount.com" \
--role "roles/serviceusage.serviceUsageViewer"
That command succeeded. I set the gcloud account back to the service account with gcloud config set account <SERVICE ACCOUNT EMAIL>
and then ran gcloud services list --available
. This command worked this time.