0

I've created project in GCP. Then I created service account with Compute Admin role. After that, I enabled Compute Engine API for my project, but can't work with instances:

#gcloud compute instances list  
ERROR: (gcloud.compute.instances.list) Some requests did not succeed:
- Required 'compute.zones.list' permission for 'projects/someproject'

What am I doing wrong ?

Serhii Rohoza
  • 1,424
  • 2
  • 5
  • 15
Ninja
  • 11
  • 1
  • 3

2 Answers2

1

Check that the service account you are using to run that command has the proper Compute Engine role. You can do this here: IAM & admin > IAM.

-- UPDATE --

For checking that the service account has the correct permissions run these commands in the Cloud Shell:

$ gcloud iam service-accounts keys create key.json \ --iam-account new-sa@some-project-name.iam.gserviceaccount.com

The above command will create and download the key for this service account in a JSON format.

$ gcloud projects add-iam-policy-binding some-project-name \ --member serviceAccount:new-sa@some-project-name.iam.gserviceaccount.com \ --role=roles/compute.admin

This command will assign compute.admin role to new-sa service account.

$ gcloud auth activate-service-account --key-file=key.json

$ gcloud compute instances list

And with these, impersonate new-sa service account using the key.json file already downloaded and execute the corresponding command to list the instances in some-project-name project. If this is successful then the issue is somewhere else.

DuniX33
  • 56
  • 6
  • It has ComputeAdmin role. I am trying add GCE to cloud66 from this doc: https://help.cloud66.com/rails/how-to-guides/clouds/cloud-gce.html#generate-gce-api-keys – Ninja Jan 29 '20 at 12:28
  • If you have enabled the [Compute Engine API](https://cloud.google.com/endpoints/docs/openapi/enable-api#enabling_an_api) and provided the right permissions to the SA (check update) I would try downloading a [new key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys). – DuniX33 Jan 29 '20 at 15:24
  • Thank you! your answer helped me to find and resolve the issue. Because a new Service Account with another name works without any problem. I have solved the problem after i remove policy from IAM for cloud66 and then i recreated it(early i removed clud66 only from Service Account). – Ninja Jan 30 '20 at 11:21
  • You're welcome @Ninja xD – DuniX33 Feb 04 '20 at 08:18
1

The first time I created a service account "cloud66" in the Google test period. Most likely, this affected the access rights. Then I switched billing from a test period to a paid one. I deleted and recreated the cloud66 service account in the "APIs & Services -> Credentials" section. But there was an access policy for "cloud66" with the role of "ComputeAdmin" in the "IAM" section. When I deleted the access policy from the "IAM" section and recreated the service account, the problem was resolved.

Ninja
  • 11
  • 1
  • 3