Permission issue on first set up

Question

Permission issue on first set up

mike-lawrence opened this issue 5 years ago · 6 comments

This is a repeat of previous bug reports whereby I attempted to follow the instructions but they seem to be outdated; certainly the video is a couple years old and differs from how Google has it's UI set up now. I thought I still managed to set things up properly such that I got my service account key and enabled the gce api, but I'm still getting a permissions error. Here's an example session:

> library(googleComputeEngineR)
Setting scopes to https://www.googleapis.com/auth/cloud-platform
Successfully auto-authenticated via axemnimbus.json
Set default project ID to 'axemnimbus'
Set default zone to 'northamerica-northeast1'
> 
> gce_get_project()
2019-09-17 12:27:27> Request Status Code: 403
Error: API returned: Required 'compute.projects.get' permission for 'projects/axemnimbus'

Note that when I go to the IAM section on Google's console, I see the service "Compute Engine Service Agent" is enabled with a role of the same name. Is there some other role it needs to have as well?

Answer 1 · 2019-09-17T15:40:48.000Z

? I think you left out some detail?

Answer 2 · 2019-09-17T15:43:10.000Z

@MarkEdmondson1234 Sorry, started the issue and closed my laptop to move offices, and must have somehow clicked submit as I did so. Updated now.

Answer 3 · 2019-09-17T15:47:49.000Z

Ok yes I think the setup has changed slightly - the service account you use needs to have compute engine API access. I typically use the same service account for lots of things such as BigQuery and cloud storage so set the role as "project editor" but you may want to be tighter than that. If you let me know where the documentation is lacking I will look to update it.

Answer 4 · 2019-09-17T15:52:35.000Z

Hm, I added the role "Editor" (as well as "compute admin", which I found a random stackoverflow answer suggesting), restarted R and tried again, but still getting the same error. Here's a screenshot of my IAM permissions page:

See anything obviously wrong?

Answer 5 · 2019-09-17T16:06:22.000Z

Fixed it. I somehow downloaded the key for the wrong service. I discovered this by going to the Compute Engine API page, clicking credentials, and noticed two services, one for the Compute engine default Service account that had no activity and one for a service I set up during my attempt at following the instructions that had a bunch of activity. I downloaded the key from the Compute Engine service account, and all is working now.

Answer 6 · 2019-09-17T16:12:15.000Z

Great, glad its sorted