-1

While deleting a cluster with:

gcloud container clusters delete demo

I constantly encounter the following error message:

ERROR: (gcloud.container.clusters.delete) Some requests did not succeed:
 - args: ['Operation [<Operation
 clusterConditions: [<StatusCondition
 canonicalCode: CanonicalCodeValueValuesEnum(PERMISSION_DENIED, 7)
 message: "Google Compute Engine: Required \'compute.instanceGroups.update\' permission for \'gke-demo-default-pool-11319969-grp\'.">]
 detail: "Google Compute Engine: Required \'compute.instanceGroups.update\' permission for \'gke-demo-default-pool-11319969-grp\'."
 endTime: \'2021-04-21T17:31:06.780378597Z\'
 error: <Status
 code: 7
 details: []
 message: "Google Compute Engine: Required \'compute.instanceGroups.update\' permission for \'gke-demo-default-pool-11319969-grp\'.">
 name: \'operation-1619026203457-4c931621\'
 nodepoolConditions: []
 operationType: OperationTypeValueValuesEnum(DELETE_CLUSTER, 2)
 selfLink: \'https://container.googleapis.com/v1/projects/824185028708/zones/us-west1-a/operations/operation-1619026203457-4c931621\'
 startTime: \'2021-04-21T17:30:03.457738447Z\'
 status: StatusValueValuesEnum(DONE, 3)
 statusMessage: "Google Compute Engine: Required \'compute.instanceGroups.update\' permission for \'gke-demo-default-pool-11319969-grp\'."
 targetLink: \'https://container.googleapis.com/v1/projects/824185028708/zones/us-west1-a/clusters/demo\'
 zone: \'us-west1-a\'>] finished with error: Google Compute Engine: Required \'compute.instanceGroups.update\' permission for \'gke-demo-default-pool-11319969-grp\'.']
   exit_code: 1

It seems to be similar to this post. But aftering adding the "Editor" role to all service account I found, the deletion command still fails.

Update: Upon whether inspections of the Activity, the "User" who is really trying to remove the instance group created by the cluster is " [12DigitNumber]@cloudservices.gserviceaccount.com".

Any ideas?

taper
  • 109
  • 6
  • The ACTIVE account `gcloud auth list` does not have the permission `compute.instanceGroups.update` – John Hanley Apr 22 '21 at 01:59
  • I am sure the active account has the `Editor` role, which should be enough. – taper Apr 22 '21 at 10:30
  • Yes, the Editor role has the required permission. However, the error message is very clear. The identity making the API calls does not have that permission. My guess is that you added the Editor role to the wrong identity. – John Hanley Apr 22 '21 at 12:57
  • Note: Where are you running this command? If from Compute Engine, then scopes limit the roles assigned to an identity. – John Hanley Apr 22 '21 at 12:57
  • Thanks @JohnHanley for the comments. I have ran the command from the console using an IAM given by my organisation. I have confirmed that I could create and remove compute instance group in the console. But there remains an instance group created by the Kubernates that I could not remove. – taper Apr 23 '21 at 07:26
  • When you say "console" what do you mean? In the console run this command "gcloud auth list". What is the active account? Once you know that identity, check the roles assigned to that identity. – John Hanley Apr 23 '21 at 07:36
  • Sorry I should be clear. I mean the web interface called [Console](https://console.cloud.google.com/). – taper Apr 23 '21 at 07:39
  • I check the activity log and it shows a "[12DigitNumber]@cloudservices.gserviceaccount.com" is actually attempting to remove the instance group. However, I could not found this user in the IAM user list, while I could see several users having the same 12digit number, all have been given the Editor role. – taper Apr 23 '21 at 07:49

2 Answers2

1

After checking the Activity page and consulting the Google doc about service accounts, I realise that this is caused by a previous mistake that deletes a default service account created by Google. To bring it back, I used:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member serviceAccount:PROJECT_NUMBER@cloudservices.gserviceaccount.com \
    --role roles/editor

Ref: Google APIs Service Agent service account deleted by mistake .

taper
  • 109
  • 6
0

The error indicates that there is a permission missing and the deletion cannot proceed. Can you set the required permission and retry the deletion? permission_required : "compute.instanceGroups.update"

Please follow the steps below to add the required permission:

  1. Go to Navigation Menu then Click IAM and Admin
  2. Select IAM
  3. Click "Edit" or the pencil icon for the member
  4. Select + Add Another Role
  5. Inside the "Select a Role" Look for Compute Engine then click Compute Admin.
Ahmad P
  • 1
  • 1