2

Today when I went to deploy a new revision of a cloud run application I was unable to press the deploy key. No error or nothing just an unresponsive key.

I use secret manager and I have narrowed down the issue to the step where you add the secret mounted volume. When I do this, I receive the following error when I inspect the network.

{
  "error": {
    "code": 404,
    "message": "Requested entity was not found.",
    "status": "NOT_FOUND"
  }
}

{"constraint":"constraints/gcp.SecretManagerFilesystemAccess"}

However, when I go lookup the constraints in the documentation, this constraint doesn't exist.

I do have some organizational policies set like refusing the ability to create service accounts, create service keys or upload keys, but I have confirmed that my other organization has the same settings and is having no trouble.

Does anyone from google have any information regarding this issue?

EDIT:

Steps to reproduce this issue.

  1. Open Google Cloud Platform.
  2. Click "Cloud Run" from navigation bar.
  3. Select Service
  4. Click "Edit and Deploy New Revision"
  5. Open Inspector, click Network, clear current items.
  6. "Select Variables and Secrets"
  7. Click "reference a secret".

This produces the following error on url:

https://cloudresourcemanager.clients6.google.com/v1/projects/PROJECTID:getEffectiveOrgPolicy?key=

{
  "error": {
    "code": 404,
    "message": "Requested entity was not found.",
    "status": "NOT_FOUND"
  }
}

{"constraint":"constraints/gcp.SecretManagerFilesystemAccess"}

I can see this also produces a validation form error when the "Deploy" button is pressed that is not visible as well.

Denis
  • 570
  • 9
  • 23
  • What is the output from **gcloud org-policies describe gcp.SecretManagerFilesystemAccess --organization=ORGANIZATION_ID** and from **gcloud org-policies describe gcp.SecretManagerFilesystemAccess --project=PROJECT_ID** Those commands should return the policy that contains that constraint. – John Hanley Nov 05 '21 at 20:50
  • 1. (gcloud.org-policies.describe) NOT_FOUND: Requested entity was not found. – Denis Nov 05 '21 at 21:06
  • 2. API [orgpolicy.googleapis.com] not enabled on project [149547440894]. Would you like to enable and retry (this will take a few minutes)? (y/N)? – Denis Nov 05 '21 at 21:07
  • After Y... `gcloud.org-policies.describe) NOT_FOUND: Requested entity was not found.` – Denis Nov 05 '21 at 21:07
  • I would open a support ticket with Google Cloud (paid) or on Issue Trackers (free) https://cloud.google.com/support/docs/issue-trackers If you are part of Google Cloud Insiders, post a message there. – John Hanley Nov 05 '21 at 21:10
  • What do you mean by **when I inspect the network**? Show the command that generated the error. – John Hanley Nov 05 '21 at 21:10
  • The CLI commands report the same error message as your question. Some detail is missing here. I would list each policy and review its details. – John Hanley Nov 05 '21 at 21:12
  • Command was done through the dashboard. I listed the steps to reproduce the error. I will review my policies to see if that is the issue. – Denis Nov 05 '21 at 21:18
  • Try deploying using the CLI only. That will usually provide more details on the error. You should also see details in Cloud Logging. – John Hanley Nov 05 '21 at 21:19
  • Will try that. One thing to note is that when I add the secret volume, it disables the "Show Command Line" button in the top corner. So I'll just add that code in but I thought that was interesting. – Denis Nov 05 '21 at 21:31
  • @JohnHanley So deploying from the CLI worked. Thank you SO VERY much for the recommendation and for pushing me to use the CLI. :) – Denis Nov 05 '21 at 21:35
  • That is good news. Please create an Issue Tracker for this item. If the Console GUI failed and the CLI worked, something is wrong internally I think. – John Hanley Nov 05 '21 at 21:39
  • I have filed an issue report. TY – Denis Nov 05 '21 at 21:56
  • Post an answer showing the command that you used to deploy. That way this question does not stay open. You can then update the answer as information develops from the Issue Tracker. – John Hanley Nov 05 '21 at 22:58

1 Answers1

1

I was able to solve this using the following command in the CLI.

gcloud beta run deploy nightpricer-api \
--image=gcr.io/io-nightpricer-prod/nightpricer-api@sha256:d74ac81ced1628929075d6c8e97b039ac705663bf3a988cbb57bfad77a30a6dd \
--platform=managed \
--region=us-central1 \
--project=io-nightpricer-prod \
--update-secrets=/config/secrets=APP_SECRETS:latest,/config1/gmail=GMAIL_APPLICATION_CREDENTIALS:latest \
--service-account=firebase-adminsdk-hbr00@io-nightpricer-prod.iam.gserviceaccount.com
Denis
  • 570
  • 9
  • 23
  • Your question mentions **Secret Manager** but your command does not use that service. I thought you had a constraint issue with secrets and constraints. I might have been helping you solve a different problem. https://cloud.google.com/run/docs/configuring/secrets – John Hanley Nov 05 '21 at 23:26
  • I just was trying to omit information and accidentally cut it off. Fixed now. Actually looks like they solved the issue too. – Denis Nov 06 '21 at 00:06
  • Thank you. I bet someone noticed our thread and investigated what was going on. Sometimes these are just temporary self-correcting issues. – John Hanley Nov 06 '21 at 00:15