Question

Problem: I m facing an issue creating a GKE Standard cluster in the GCP console. I ve assigned the necessary permissions to a custom service account and selected it during cluster creation, but the process fails with the following error message:

    PERMISSIONS_ERROR: Instance  gke-cluster-1-default-pool-04d4bc2e  creation failed: Required  compute.instances.create  permission for  projects/874xxxxxxx/zones/us-central1-c/instances/gke-cluster-1-default-pool-04d4bc2e  (when acting as  [email protected] );
... (other permission errors listed)

<>详细情况:

I dont know from where it has picking up this service account service account ("[email protected]") The service account which I have choosen is different then the one mentioned in the error and I couldnt find this services account in IAM service section.

< Question:

我不知道需要哪些额外许可,或我应当使用哪些服务? 谁能帮助我理解这一错误,并提出正确的服务账户和设立GKE标准组的许可?

Please Note: I ve intentionally redacted sensitive information like project ID and service account name for security purposes.

Answer 1

https://cloud.google.com/compute/docs/access/service-accounts#google_apis_service_agent”rel=“nofollow noreferer”>gcp 文件:

这个服务账户专门用于代表你管理谷歌内部进程。该账户由谷歌所有,没有列入谷歌云集的会费账户。缺省时,账户自动授予项目编辑在项目上的作用,并列在谷歌云盖的IAM部分。只有在删除该项目时,才删除这一服务账户。然而,你可以改变给予这一账户的作用,包括取消对你项目的一切准入。

这一服务账户对于成功建立GKE集群至关重要。如果没有正确的许可,不论用户账户或您使用的服务账户,分组的设立都将失败。

为了解决这个问题,你应当:

Go to IAM page.
Check Include Google-provided role grants above the table on the right side. Now you should see all permissions including accounts managed by Google.
Grant [email protected] the appropriate permissions (It is Editor by default). If you didn t find it, you can click GRANT ACCESS and add it manually with the proper permissions.

希望:

友情链接