GCP - User ... does not have permission to access projects instance
I was using gcloud with a service account to try to figure out why my API Gateway endpoint didn't work when I ran into another problem. First I ran this export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential/fils/PROJECTNAME-hash.json. Then I ran gcloud services list --available and I got this in my terminal:
ERROR: (gcloud.services.list) User [<SERVICE ACCOUNT NAME>@<MY PROJECT NAME>.iam.gserviceaccount.com] does not have permission to access projects instance [<MY PROJECT NAME>] (or it may not exist): Permission denied to list services for consumer container [projects/<MY PROJECT ID>]
Help Token: <WHAT LOOKS LIKE AN API KEY>
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.services.list&resource=projects/<MY PROJECT NAME>
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
permission: serviceusage.services.list
resource: projects/<MY PROJECT NAME>
service: cloudresourcemanager.googleapis.com
reason: AUTH_PERMISSION_DENIED
I believe I have the correct permissions enabled in my service account:
So why am I getting this error and how do I get gcloud services list --available to work with the selected service account?
This problem seemed to stem from the fact that I needed to set the service account to have the role of serviceusage.serviceUsageViewer. In order to do that I need to run the add-iam-policy-binding command but this command needs to be run with an account that has account owner/editor permissions.
Step 1 was to switch the account in gcloud to the master gmail account with which I signed up for GCP services.
I set my gcloud "account" to my master Gmail account with gcloud config set account <MASTER GMAIL ACCOUNT>. Then I ran:
gcloud projects add-iam-policy-binding <PROJECT ID> \
--member "serviceAccount:<SERVICE ACCOUNT>@<PROJECT ID>.iam.gserviceaccount.com" \
--role "roles/serviceusage.serviceUsageViewer"
That command succeeded. I set the gcloud account back to the service account with gcloud config set account <SERVICE ACCOUNT EMAIL> and then ran gcloud services list --available. This command worked this time.
- Error: 10: Developer console is not set up correctly (Not Using Firebase) (One Tap sign-up)
- How to drop multiple tables in Big query using Wildcards TABLE_DATE_RANGE()?
- A proper and secure way to do Cloud function authorization with access token from external server
- How to list all projects in GCP that belongs to a specific organization
- Constantly getting DEVELOPER_ERROR in Android Simulator using Firebase Authentication
- Google OAuth 2.0 authentication not working in React app: what am I doing wrong?
- How to SSH to docker container in kubernetes cluster?
- How to use google cloud load balance with cloudflare DNS proxy
- How to write data from apache beam using gcp dataflow to bigquery table?
- How does Firestore calculate read count for same queries with different limits?
- Firebase onAuthStateChanged user returns null when on localhost
- How do I list all resources in a particular google cloud project?
- What am I doing wrong to get this error for Google Vision API
- How do I propagate resource labels to my GKE application's GCE disks backing its PVCs?
- How to set environment variables in a Google Cloud VM (Ubuntu) for Django project without exposing sensitive information?
- How to avoid TypeError when using Python ApacheBeam for DataFlow?
- Why would Mysql return "error Column cannot be null"?
- Firebase login with GCP service account
- Listening to realtime changes to objects stored in a Firestore Document
- Installing Google Cloud SDK using Windows SSL error
- Serverless VPC access connector is in a bad shape
- Google Chat API Permission Issues
- skip header while reading a CSV file in Apache Beam
- firebase client cannot connect to correct firebase database
- Cloud Build private DNS GCP
- Google Firebase: How do I "work around" an invalid "issuer" value in my client's OIDC discovery document?
- Configure a principal that can only approve and revoke grant requests in GCP PAM
- GCP authentication fails in GitHub actions - IaC with Terraform
- Creating two Google Cloud VPCs in different regions using the same Terraform main.tf file
- google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s)