-1

So I've run into this issue with a web app I've made:

  • it gets a file path as input
  • if the file exists on a bucket, it uses a python client api to create a compute engine instance
  • it passes the file path to the instance in the startup script

When I ran it locally, I created a python virtual environment and then ran the app. When I make the input on the web browser, the virtual machine is created by the api call. I assumed it used my personal account. I changed to the service account in the command line with this command 'gcloud config set account', it ran fine once more.

When I simply go to the source code directory deploy it as is, the application can create the virtual machine instances as well.

When I use Google cloud build and deploy to cloud run, it doesn't create the vm instance.

the web app itself is not throwing any errors, but when I check compute engine's logs, there is an error in the logs:

`{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
      "code": 3,
      "message": "INVALID_PARAMETER"
     },
    "authenticationInfo": {
      "principalEmail": "####"
    },
    "requestMetadata": {
      "callerIp": "#####",
      "callerSuppliedUserAgent": "(gzip),gzip(gfe)"
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.instances.insert",
    "resourceName": "projects/someproject/zones/somezone/instances/nameofinstance",
    "request": {
      "@type": "type.googleapis.com/compute.instances.insert"
    }
  },
  "insertId": "######",
  "resource": {
    "type": "gce_instance",
    "labels": {
      "instance_id": "#####",
      "project_id": "someproject",
      "zone": "somezone"
    }
  },
  "timestamp": "2021-06-16T12:18:21.253551Z",
  "severity": "ERROR",
  "logName": "projects/someproject/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "operation-#####",
    "producer": "compute.googleapis.com",
    "last": true
  },
  "receiveTimestamp": "2021-06-16T12:18:21.253551Z"
}`

In theory, it is the same exact code that worked from my laptop and on app engine. I'm baffled why it only does this for cloud run.

App engines default service account was stripped of all its roles and given a custom role tailored to the web apps function.

The cloud run is using a different service account, but was given that exact same custom role.

Here is the method I use to call the api.

def create_instance(path):

    compute = googleapiclient.discovery.build('compute', 'v1')

    vmname = "piinnuclei" + date.today().strftime("%Y%m%d%H%M%S")

    startup_script = "#! /bin/bash\napt update\npip3 install pg8000\nexport BUCKET_PATH=my-bucket/{}\ngsutil -m cp -r gs://$BUCKET_PATH /home/connor\ncd /home/connor\n./cloud_sql_proxy -dir=cloudsql -instances=sql-connection-name=unix:sql-connection-name &\npython3 run_analysis_upload.py\nexport ZONE=$(curl -X GET http://metadata.google.internal/computeMetadata/v1/instance/zone -H 'Metadata-Flavor: Google')\nexport NAME=$(curl -X GET http://metadata.google.internal/computeMetadata/v1/instance/name -H 'Metadata-Flavor: Google')\ngcloud --quiet compute instances delete $NAME --zone=$ZONE".format(path)
    
    config = {
      "kind": "compute#instance",
      "name": vmname,
      "zone": "projects/my-project/zones/northamerica-northeast1-a",
      "machineType": "projects/my-project/zones/northamerica-northeast1-a/machineTypes/e2-standard-4",
      "displayDevice": {
        "enableDisplay": False
      },
      "metadata": {
        "kind": "compute#metadata",
        "items": [
          {
            "key": "startup-script",
            "value": startup_script
          }
        ]
      },
      "tags": {
        "items": []
      },
      "disks": [
        {
          "kind": "compute#attachedDisk",
          "type": "PERSISTENT",
          "boot": True,
          "mode": "READ_WRITE",
          "autoDelete": True,
          "deviceName": vmname,
          "initializeParams": {
            "sourceImage": "projects/my-project/global/images/my-image",
            "diskType": "projects/my-project/zones/northamerica-northeast1-a/diskTypes/pd-balanced",
            "diskSizeGb": "100"
          },
          "diskEncryptionKey": {}
        }
      ],
      "canIpForward": False,
      "networkInterfaces": [
        {
          "kind": "compute#networkInterface",
          "subnetwork": "projects/my-project/regions/northamerica-northeast1/subnetworks/default",
          "accessConfigs": [
            {
              "kind": "compute#accessConfig",
              "name": "External NAT",
              "type": "ONE_TO_ONE_NAT",
              "networkTier": "PREMIUM"
            }
          ],
          "aliasIpRanges": []
        }
      ],
      "description": "",
      "labels": {},
      "scheduling": {
        "preemptible": False,
        "onHostMaintenance": "MIGRATE",
        "automaticRestart": True,
        "nodeAffinities": []
      },
      "deletionProtection": False,
      "reservationAffinity": {
        "consumeReservationType": "ANY_RESERVATION"
      },
      "serviceAccounts": [
        {
          "email": "batch-service-accountg@my-project.iam.gserviceaccount.com",
          "scopes": [
            "https://www.googleapis.com/auth/cloud-platform"
          ]
        }
      ],
      "shieldedInstanceConfig": {
        "enableSecureBoot": False,
        "enableVtpm": True,
        "enableIntegrityMonitoring": True
      },
      "confidentialInstanceConfig": {
        "enableConfidentialCompute": False
      }
    }

    
    return compute.instances().insert(
        project="my-project",
        zone="northamerica-northeast1",
        body=config).execute()
connor
  • 51
  • 5
  • Does this answer your question? [Google Cloud - Compute Engine, Insert Instance with Instance Template](https://stackoverflow.com/questions/66165094/google-cloud-compute-engine-insert-instance-with-instance-template) – Martin Zeitler Jul 30 '21 at 17:35
  • No, it does not. I've tested it locally and even deployed it on app engine. It is successful in those environments, but not on cloud run. – connor Jul 30 '21 at 18:01
  • Your question does not include any code or show the API call. We can only guess. The problem is the command you are using to create a VM has an invalid configuration parameter. – John Hanley Jul 30 '21 at 19:01
  • @JohnHanley I'm certain it works, but I put the method in there for you. – connor Jul 30 '21 at 20:05
  • The **initializeParams** for **sourceImage** and **diskType** are not correct. If you are masking real values, then we cannot help you. – John Hanley Jul 30 '21 at 20:27
  • Sorry if that is a problem. Thank you for looking anyways. I thought it was a good idea to hide things like project ID and zone (that info was in disk type and disk image). If you go to the create vm page in google's console and hit 'equivalent REST' at the bottom, that is how I made my configuration. As I've said, the code runs fine from my laptop and on app engine. – connor Jul 31 '21 at 20:14
  • 1
    There are ways of masking sensitive information. For example, your project ID is **apple-martini-834**. Change it to **roaring-bears-2021**. We will then know that the project string format is correct. Remember, the problem you are trying to solve is **INVALID_PARAMETER**. How can we help you solve it if you fiddle with parameters to hide information? Masking is fine, removing the information is not helpful. – John Hanley Jul 31 '21 at 20:20
  • I understand. the requested edits have been made. – connor Aug 02 '21 at 03:49
  • John, you were right. it had to do with the zone at the very end when calling "compute.instances().insert()". thanks for your feed back. this is the first time I've asked a question and I know I wasn't very good at it. – connor Aug 02 '21 at 14:08

1 Answers1

1

The issue was with the zone. For some reason, when it was ran on cloud run, the code below was the culprit.

    return compute.instances().insert(
        project="my-project",
        zone="northamerica-northeast1",
        body=config).execute()

"northamerica-northeast1" should have been "northamerica-northeast1-a"

EDIT:

I made a new virtual machine image and quickly ran into the same problem, it would work locally and break down in the cloud run environment. After letting it sit for some time, it began to work again. This is leading me to the conclusion that there is also some sort of delay before it can be called by cloud run.

connor
  • 51
  • 5