Regional Managed Instance Group w/ Shared VPC
501 views
Skip to first unread message
Chase Bolt
Aug 29, 2018, 9:14:21 PM8/29/18
to gce-discussion
I am trying to get regional mig with a shared vpc to work. Currently running into the issue from a service project, using the networking from a host project. I have a instance template properly defined and I am able to create a working instance from it - but when I use the template for a regional mig I get this error.
Instance 'instance-group-1-gj83' creation failed: Required 'compute.subnetworks.use' permission for 'projects/231220474974/regions/northamerica-northeast1/subnetworks/default' (when acting as '94116...@cloudservices.gserviceaccount.com')
I am pretty sure this is an IAM issue but I am not sure how to go about fixing it. The service account 94116...@cloudservices.gserviceaccount.com is not a service account I see listed under IAM -> Service Accounts.
Instance 'instance-group-1-gj83' creation failed: Required 'compute.subnetworks.use' permission for 'projects/231220474974/regions/northamerica-northeast1/subnetworks/default' (when acting as '94116...@cloudservices.gserviceaccount.com')
I am pretty sure this is an IAM issue but I am not sure how to go about fixing it. The service account 94116...@cloudservices.gserviceaccount.com is not a service account I see listed under IAM -> Service Accounts.
Larbi (Google Cloud Support)
Aug 30, 2018, 11:23:30 AM8/30/18
to gce-dis...@googlegroups.com
Hello Bolt,
This is the "Google APIs Service Agent" and yes it should have the role (roles/compute.networkUser) that has the permission (compute.subnetworks.use) in order to use the shared VPC Network [1].
So, in your host project and in the Shared VPC dashboard:
1. Select the networks that you want to use.
2. Add the "Google APIs Service Agent" email "project_number@cloudservices.gserviceaccount.com" in the right panel {Add members} fields.
This is the "Google APIs Service Agent" and yes it should have the role (roles/compute.networkUser) that has the permission (compute.subnetworks.use) in order to use the shared VPC Network [1].
So, in your host project and in the Shared VPC dashboard:
1. Select the networks that you want to use.
2. Add the "Google APIs Service Agent" email "project_number@cloudservices.gserviceaccount.com" in the right panel {Add members} fields.
Note: After adding the "Google APIs Service Agent" it will be listed under "Compute Network User"
When it's done your Managed Instance group will be able to use the selected network.
Links:
[1]https://cloud.google.com/compute/docs/access/iam#network_user_role
Chase Bolt
Aug 30, 2018, 2:40:30 PM8/30/18
to gce-discussion
Ahh thanks! That made it work. How do I programmatically find this "Google APIs Service Agent" email address? I can't find an API that exposes this email address and it doesn't seem to be available through the terraform data provider.
On Thursday, August 30, 2018 at 8:23:30 AM UTC-7, Larbi (Google Cloud Support) wrote:
Hello Bolt,
This is the "Google APIs Service Agent" and yes it should have the role (roles/compute.networkUser) that has the permission (compute.subnetworks.use) in order to use the shared VPC Network [1].
So, in your host project and in the Shared VPC dashboard:
1. Select the networks that you want to use.
2. Add the "Google APIs Service Agent" email in the right panel {Add members} fields.
Chase Bolt
Aug 30, 2018, 2:56:59 PM8/30/18
to gce-discussion
I got it worked out. This doc makes it clear I can rely on just take the project number and concat it with the email address. https://cloud.google.com/iam/docs/service-accounts#google-managed_service_accounts
Thanks again!
Larbi (Google Cloud Support)
Aug 30, 2018, 3:10:00 PM8/30/18
to gce-discussion
Hello Bolt,
Great,Happy to know that you make it.
Reply all
Reply to author
Forward
0 new messages