StackDriver Debug “error”:“invalid_request”,“error_description”:“Service account not enabled on this instance”

[uBitto HQ]

I am using GCP VM to host a few ecommerce websites via Cloud DNS 

I am trying to set up Stackdriver Debug (PHP) on my GCP VM for one of ecommerces websites. 

I managed to follow thru the steps successfully till Step#4. 

https://cloud.google.com/debugger/docs/setup/php > Compute Engine > Step#4 

But when running the below code

php /home/"my-domain"/public_html/vendor/bin/google-cloud-debugger -s /home/"my-domain"/public_html

I am getting an error as below. 

Fatal error: Uncaught Google\Cloud\Core\Exception\NotFoundException: {"error":"invalid_request","error_description":"Service account not enabled on this instance"} in /home/"my-domain"/public_html/vendor/google/cloud-core/src/RequestWrapper.php:263

I have opened for all Google APIs and enabled and I have created API key and OAuth 2.0 client IDs (not sure if this is needed tho).. I am not sure what's missing here. Anyone has any idea? 

Thank you in advance!  

[Michael Safyan]

Ordinarily, Compute Engine VMs have a service account that is automatically provisioned on the virtual machine and can be discovered/consumed automatically without specifying credentials explicitly (see Compute Engine default service account). Based on this error, however, my guess is that this project / VM was configured not to include such a credential by default.

You might try resolving this by enabling the default service account on the instance. Detailed instructions on how to do that can be found here:

https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

Alternatively, you can provision "application default credentials" manually in the way that one might do outside of GCP by:

• Downloading a service account's *.json file somewhere on the VM
  
• Defining the environment variable "GOOGLE_APPLICATION_CREDENTIALS" to point to that file
  

The following documentation may also be of help:

• Getting Started with Authentication
• Authentication for server-server communication

Michael Safyan Senior Software Engineer · Stackdriver Monitoring 6425 Penn Ave 7th Floor; Pittsburgh, PA 15206 http://www.michaelsafyan.com | michae...@google.com

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Stackdriver Discussion Google Group (google-stackdr...@googlegroups.com) to participate in discussions with other members of the GoogleStackdriver community.
---
You received this message because you are subscribed to the Google Groups "Google Stackdriver Discussion Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-stackdriver-d...@googlegroups.com.
To post to this group, send email to google-stackdr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-stackdriver-discussion/5d55abca-818d-411a-8e89-32a50e17537a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[uBitto HQ]

Thank you, Michael for your guidance! 

I was in that page that you mentioned to create necessary service accounts and successfully created a new service account with the roles (Stackdriver Debugger Agent and User) as below screenshot. 
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances 

with this, no luck yet with this way.. same error. 

So I was just curious what would happen if I created a brand new VM, wanted to check if any service account for stackdriver would be created automatically but nothing like that as below. 

 

I was hoping to see the service account automatically created like below. 

service-81****@compute-system.iam.gserviceaccount.com  with Name of 'Google Stackdriver Service Agent' or at least it gets created automatically if I enable stackdriver service. 

It doesnt seem working that way. Maybe I have different understanding (Please educate me if so) - #1

So anyway I followed your 2nd recommendation. 

I got the json file downloaded and uploaded to my VM with path /home/"my domain"/public_html/vendor/cos07-cp-m2-4-*****.json 

Now I am at the step to defining the environment variable "GOOGLE_APPLICATION_CREDENTIALS" to point to that file that you mention. 

As seen in the below screenshot, the folders were created via steps 2 & 3 from https://cloud.google.com/debugger/docs/setup/php (GCE)

My question is 'ServiceAccountCredentials.php is the file to be modified to point the downloaded credential file? 
If yes, which line should I modify? Here I upload the file as well in case you don't have this file from your end. - #2
If no, should I create a new file and where should I put the file and what should the content look like? -#3 

Sorry for mutiple questions here (#1, #2, #3) with maybe too much details.. I just am trying to learn as much as possible from the experts in the very specific situation I am facing. 

Big Thank you! 

[uBitto HQ]

OK. 

This is what we have done so far. 

1. Created the service key for this account (only that way, I allowed me to create json file) and uploaded the file to "/home/[MY-DOMAIN]/public_html/vendor/google/auth/src/Credentials/****.json"

2. Added a line of code to add envrionment variable in the following path 

putenv('GOOGLE_APPLICATION_CREDENTIALS=/home/ [MY-DOMAIN]/public_html/vendor/google/auth/src/Credentials/****.json'); at the following path /home/[MY-DOMAIN]/public_html/vendor/google/auth/src/ApplicationDefaultCredentials.php

3. and then run the file in ssh 

php /home/[MY-DOMAIN]/public_html/vendor/google/auth/src/ApplicationDefaultCredentials.php

4. and then run this 
php /home/[MY-DOMAIN]/public_html/vendor/bin/google-cloud-debugger -s /home/[MY-DOMAIN]/public_html

5. Now it stuck... nothing is happening but somehow it captured some record in API dashboard but with error. 

6. suspected it's due to some kind of validation, so made a change on /vendor/google/cloud-core/src/RequestWrapper.php#116 
'shouldSignRequest' => true, > 'shouldSignRequest' => false,
and run this one more round ( php /home/[MY-DOMAIN]/public_html/vendor/bin/google-cloud-debugger -s /home/[MY-DOMAIN]/public_html ) 

it got us a new error 

Fatal error: Uncaught Google\Cloud\Core\Exception\ServiceException: {

  "error": {

    "code": 401,

    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",

    "status": "UNAUTHENTICATED"

  }

}

 in /home/[MY-DOMAIN]/public_html/vendor/google/cloud-core/src/RequestWrapper.php:263

We are not sure if step#6 would help but i saw it from some article as an workaround. We are now clueles... Can you please share some light here? 

Thank you in advance!!

[Michael Safyan]

A few things:

• For an existing service account, you can use the "Manage" page to download the corresponding *.json file (you don't need to create a new service account every time you need a *.json file; I realize that the manage link is a little bit hidden).
• The credentials page manages the credentials that are owned by the project, but it is independent of whether a given instance is provisioned with any of the credentials (creating a service account does not cause that service account to magically be populated on a Compute Engine instance); please read the Creating and Enabling Service Accounts for Instances documentation more closely; there is a gcloud compute instances set-service-account command that is referenced in the documentation as one way to associate the instance and service account, for example.
• You should not need to modify any of the Google Cloud client library source code to get this working.
• You should not need to run "ApplicationDefaultCredentials.php"; it is a library file, not a program.
• The "google-cloud-debugger -s" command starts a background process, so you shouldn't expect it to "do" anything (other than cause your application to be able to succeed when it attempts to connect to the debugger agent); if you want to test whether it is working, try debugging your app. If it is still not working, try looking at Stackdriver Logging or SSHing into the VM and examining the log files locally for hints as to the issue.

I hope this helps! Good luck!

Michael Safyan Senior Software Engineer · Stackdriver Monitoring 6425 Penn Ave 7th Floor; Pittsburgh, PA 15206 http://www.michaelsafyan.com | michae...@google.com

[ubi...@gmail.com]

Thank you for the info and I have a few more things that I would like seek your advice.

 

1. Where is the ‘Manage’ link? Seriously I really can’t locate it, neither can my peer.. or is it due to my account?
   I am sorry for being a pest here but do you mind sharing some steps to see it?
   
   
2. I am not sure if you are talking about below page as the ‘Manage’ link.
   I am not generating the new service account but in order to download the json file, I must create a ‘Key’ like below screenshot. Only then it downloads the json file automatically but my question is if it’s possible to download the .json file from the existing service account without creating a key.
   or more fundamentally, is it necessary to have the key in order for me to make stackdriver debugger work? Or having a key is optional?
   
   
   
3. What’s the expected result after running the "google-cloud-debugger -s" command? Should it show some kind of successful message on SSH window or just bring it to the next line without saying anything?
   Currently, it just freezes on SSH command window, no message neither going to the next line. So I have to force-stop it.
   No log has been created in anywhere that I know of.

 

Thank you so much for your guidance here.

Rohan