2

I have been following the instructions on https://cloud.google.com/profiler/docs/profiling-nodejs#gke to use the gcloud profiler for my nodejs application:

I added RUN npm install @google-cloud/profiler to my dockerfile. And I added

require('@google-cloud/profiler').start({
    serviceContext: {
        service: 'your-service',
        version: '1.0.1',
    },
});

to my app.js file.

I then ran the container on a GKE cluster and got the following error:

@google-cloud/profiler Failed to create profile, waiting 8.6s to try again: Error: generic::permission_denied

By my understanding of the documentation I do not need explicit authentication or permissions to create profiles when running the code from within a gcloud hosted instance. The error itself isn't very helpful and I am a bit out of my depth here. I already tried if creating the cluster with --(autoprovisioning-)scopes "https://www.googleapis.com/auth/cloud-platform" might do the trick, but had no luck either.

Any ideas what might be the issue here?

Yannic Welle
  • 207
  • 2
  • 10

1 Answers1

2

You're correct that the documentation suggests you don't need credentials but I think that you do (and that the documentation is incomplete).

When an app (e.g. Profiler) uses Google's Application Default Credentials and runs on e.g. Compute Engine (App Engine, Cloud Run etc.) it is able to get credentials automatically from the environment (on GCP using Metadata service; locally using by the developer exporting GOOGLE_APPLICATION_CREDENTIALS to a key).

On GKE, I think this isn't true (unless Google's doing some magic somewhere) and that the app won't be able to access the credentials automatically unless you represent them in GKE. I think (!?) you'll need to create a Service Account and:

NOTE Workload Identity is a neat feature but it's only useful if you only ever plan to use GKE (and not some other Kubernetes implementation).

Before proceeding, let's see whether other folks reply to tell me that I'm wrong.

I wrote about using what was then called Stackdriver Profiler for GKE deployed apps. The article is dated but it should provide an outline of what you need to do.

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • 1
    is correct that your app will need credentials to access the cloudprofiler.googleapis.com API. Assuming you have not enabled Workload Identity for your cluster (by the way, I highly recommend that you do), then any app on GKE by default will attempt to use the default Compute Engine service account ( https://cloud.google.com/compute/docs/access/service-accounts#default_service_account ) to access Google Cloud APIs. As a quick test, you could ensure that this account has permission to access the cloudprofiler.googleapis.com API . – Gari Singh Nov 07 '21 at 10:44
  • @DazWilkin your medium article solved the issue. thank you – Yannic Welle Nov 10 '21 at 10:04
  • I'm pleased to hear it! – DazWilkin Nov 10 '21 at 13:06