-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Newly created service account needs "deploymentmanager.deployments.list" permissions but no indication how to do so #52
Comments
Thanks for reporting @cwilkes 👍 Is the access to the deployment manager API in the API dashboard enabled? |
Figured it out, the API was enabled but then I had to go in there and add "editor" privileges to my service account. It wasn't the easiest to find out. |
Thanks for the update on how to resolve it @cwilkes 👍 Noted ✏️ |
I am getting the same error. I went to the IAM & Admin screen in GCP and selected my service account and entered the Service account ID of the service account and selected the Editor role and clicked on Add button. So, I think I have successfully added the "editor" priv to my service account as indicated by @cwilkes, but I still get the same error when I try to deploy. |
Hey @jimcurtis thanks for commenting and trying out the plugin! 🤔 @cwilkes was there anything else you had to do to get it working? Just checked the IAM settings of our test project we've used to work on the plugin. My User account and the "Serverless Framework" Service Account are The following Service Accounts are
|
I'm hitting the same problem that @jimcurtis was having. API service enabled, I've added service account as Editor, and Owner. Still the exact same error. I also tried changing the private key ID in the credentials JSON file to one that doesn't exist, but it still complains about the missing permission. How does it know that the service account doesn't have the permission when the private key ID that's supposed to tell which service account doesn't even exist? @pmuens Any thoughts? |
I ended up solving the problem by creating a new service account using GCP console. The service account that kept failing was created using
|
Thanks for providing the steps above to resolve the issue @cliffano 👍 Looks like this is smth. out of our control right now. Would be nice to have some steps to reproduce this so that we can investigate further 🤔 |
Wrong project name :) Used the same I used for the credential name, which is wrong of course. |
I'm having this issue. Created a brand new function using Serverless CLI, just to test things out. Then created a new Service Account under my GCP project, which has "Project -> Owner + Editor" permissions, saved the key in the proper place, changed But I noticed that when creating a Service Account I can give them permissions under "Deployment Manager" in addition to "Project Owner". But any changes I make have no effect. Even multiple permissions have no effect. (I'd think that "Project Owner" should allow the key to do anything. I don't understand the need of adding "Editor" in there. In my case, adding Editor or anything else changes nothing.) In GCP -> APIs & Services -> Dashboard, I can see that the "Google Cloud Deployment Manager V2 API" is giving me 100% errors for:
And I can see it's using the new Service Account I created. I'm not sure what to do at this point, so any advice would be appreciated. |
To resolve this I had to create a new service account and gave role Owner, Editor and all the Deployment Managers. I noticed I had to give these roles during service account creation time. Adding new role(e.g. Editor) from IAM didn't work for me. HTH |
Hi, I am following instructions at Serverless.com page:
It makes error: I am figured out that the created service account is not assigned these permission. So I take another approach:
Now you have a correct private key with correct permissions for the service account! |
why is there a need to provide |
I got the exact same issue with recent version (1.38.0). I even assigned project owner role to the service account and got the same error. Does anyone have a solution? UPDATE ugh, I tried to use the originally provisioned compute service account (xxx-compute@developer.gserviceaccount.com) and were able to deploy the functions, while my created one keeps failing (serverless@myapp.iam.gserviceaccount.com) |
@dikatok But I still feel uncomfortable that I have to generate a key for an almost super user. This unnecessarily increases the risk. |
I got the same issue here, and it solutions sound like an i18n bug. My default google console language was "pt-BR". I changed the language to "en" and checked the IAM roles, it was wrong. So the solution for me was: change the project language to "en" before create the IAM User. |
Can someone, please, provide me with a POLICY file, so I can use Currently it seems that my service account do have proper permissions: ~/projects/service gcloud projects get-iam-policy project
bindings:
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: roles/cloudfunctions.developer
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: roles/datastore.owner
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: *roles/deploymentmanager.editor*
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: roles/endpoints.portalAdmin
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: roles/file.editor
- members:
- serviceAccount:serverless@project.iam.gserviceaccount.com
role: roles/logging.admin
- members:
- user:somebody.that@i.used.to.know
role: roles/owner
etag: &&&&&&
version: 1
~/projects/service gcloud beta iam roles list --filter="(name:roles/deploymentmanager.*)"
---
description: Read and Write access to all Deployment Manager resources.
etag: AA==
name: *roles/deploymentmanager.editor*
stage: GA
title: Deployment Manager Editor
---
description: Read and Write access to all Type Registry resources.
etag: AA==
name: roles/deploymentmanager.typeEditor
stage: GA
title: Deployment Manager Type Editor
---
description: Read-only access to all Type Registry resources.
etag: AA==
name: roles/deploymentmanager.typeViewer
stage: GA
title: Deployment Manager Type Viewer
---
description: Read-only access to all Deployment Manager resources.
etag: AA==
name: roles/deploymentmanager.viewer
stage: GA
title: Deployment Manager Viewer
~/projects/service gcloud beta iam roles describe roles/deploymentmanager.editor
description: Read and Write access to all Deployment Manager resources.
etag: AA==
includedPermissions:
- deploymentmanager.compositeTypes.create
- deploymentmanager.compositeTypes.delete
- deploymentmanager.compositeTypes.get
- deploymentmanager.compositeTypes.list
- deploymentmanager.compositeTypes.update
- deploymentmanager.deployments.cancelPreview
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- *deploymentmanager.deployments.list*
- deploymentmanager.deployments.stop
- deploymentmanager.deployments.update
- deploymentmanager.manifests.get
- deploymentmanager.manifests.list
- deploymentmanager.operations.get
- deploymentmanager.operations.list
- deploymentmanager.resources.get
- deploymentmanager.resources.list
- deploymentmanager.typeProviders.create
- deploymentmanager.typeProviders.delete
- deploymentmanager.typeProviders.get
- deploymentmanager.typeProviders.getType
- deploymentmanager.typeProviders.list
- deploymentmanager.typeProviders.listTypes
- deploymentmanager.typeProviders.update
- deploymentmanager.types.create
- deploymentmanager.types.delete
- deploymentmanager.types.get
- deploymentmanager.types.list
- deploymentmanager.types.update
- resourcemanager.projects.get
- resourcemanager.projects.list
- serviceusage.quotas.get
- serviceusage.services.get
- serviceusage.services.list
name: roles/deploymentmanager.editor
stage: GA
title: Deployment Manager Editor I have marked the appropriate permissions in the list above. And, yet, I got: Error --------------------------------------------------
Required 'deploymentmanager.deployments.list' permission for 'projects/project'
For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.
Stack Trace -------------------------------------------- As one can import the policy file while creating a user account, can then someone - please - provide me with a default one? I can take it from there, but I need to understand what I have done wrong... |
why this one is closed??? |
I know this is closed but just in case someone get this make sure you check your project name in serverless.yml matches the actual project name in GCP. #91 (comment) |
It worked for me after adding "Type Editor" and "Viewer" permissions in cloud project manager. ("Add Member") |
Thank you sir, you saved my day in 2023 : D |
Created a service account with "Project - Owner" role and did a "serverless deploy" as said in the README.md and got this error.
Tried going through the https://console.cloud.google.com/iam-admin/serviceaccounts/project page to add that privilege, couldn't figure out a way to do that. Filed feedback on that.
Error --------------------------------------------------
Stack Trace --------------------------------------------
Error: Error: Required 'deploymentmanager.deployments.list' permission for 'projects/aec2-6b632'
at filArgs.reduce (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/serverless-google-cloudfunctions/provider/googleProvider.js:65:33)
at JWT.OAuth2Client._postRequest (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/auth/oauth2client.js:402:3)
at postRequestCb (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/auth/oauth2client.js:362:12)
at Request._callback (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/google-auth-library/lib/transporters.js:106:7)
at Request.self.callback (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:188:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:194:7)
at Request. (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:1171:10)
at emitOne (events.js:96:13)
at Request.emit (events.js:191:7)
at IncomingMessage. (/Users/cwilkes/Documents/workspace/hackathon/cjw_gf1/node_modules/request/request.js:1091:12)
at Object.onceWrapper (events.js:293:19)
at emitNone (events.js:91:20)
at IncomingMessage.emit (events.js:188:7)
at endReadableNT (_stream_readable.js:975:12)
at _combinedTickCallback (internal/process/next_tick.js:80:11)
at process._tickDomainCallback (internal/process/next_tick.js:128:9)
From previous event:
at PluginManager.run (/usr/local/lib/node_modules/serverless/lib/classes/PluginManager.js:156:22)
at Serverless.run (/usr/local/lib/node_modules/serverless/lib/Serverless.js:95:31)
at serverless.init.then (/usr/local/lib/node_modules/serverless/bin/serverless:23:50)
at process._tickCallback (internal/process/next_tick.js:109:7)
The text was updated successfully, but these errors were encountered: