Required 'compute.regions.get' permission error

[dborisenko]

Good day,

I'm trying to use beta-private-cluster module of version "~> 7.3" to create a cluster in region europe-west2. But I keep getting error:

Error: googleapi: Error 403: Google Compute Engine: Required 'compute.regions.get' 
permission for 'projects/***/regions/europe-west2'., forbidden

The weird thing is that I'm trying to do that using user with Editor role. So, it should have permission to read region. I tried to add more roles for the user (made it all kind of admins), but the result is still the same.
Could you please advice, where can be my mistake?

Thanks in advance, Denis

[morgante]

Could you try authenticating as that Service Account and running gcloud compute regions list --project=${my-project}?

[dborisenko]

@morgante I've got this error:

ERROR: (gcloud.compute.regions.list) Some requests did not succeed:
 - Required 'compute.regions.list' permission for 'my-project'

Thank you for the hint. So, it's service account missing permissions, not my actual user. Could you please recommend which role should I assign to my service account to tackle this issue, but not to give too much permissions?
Is roles/compute.networkViewer enough? And by the way, can I find somewhere a list of all recommended roles for such service account (apart from the default roles roles/logging.logWriter, roles/monitoring.metricWriter, roles/monitoring.viewer, roles/storage.objectViewer`)?

[Dev25]

Sounds like you are mixing up service accounts between creating and running a cluster @dborisenko

• Cluster service account for running: The permissions you listed are fine (logging/monitoring etc) GKE docs you can alternatively let this module create this service account
• Service account to create a cluster using this module requires far greater roles, see README #configure-a-service-account

[dborisenko]

Thank you, @Dev25. Yes, I'm kind of mixing up everything because I'm stuck.

So, my first attempt was the following:

• My cluster service account (that one which suppose to RUN) has the following roles:
  roles/logging.logWriter, roles/monitoring.metricWriter, roles/monitoring.viewer, roles/storage.objectViewer
• My provisioner service account (that one which is CREATING) has the following roles:
  roles/compute.viewer, roles/container.clusterAdmin, roles/container.developer, roles/iam.serviceAccountAdmin, roles/iam.serviceAccountUser

And I got that error. My next attempt was to give them both all possible roles listed above (and add some more roles), and it still didn't help. So, I'm now a bit frustrated and don't know what can help.

UPD: I am failing even to create a kubernetes cluster. So, the issue is on the level of provisioner service account

[morgante]

I'd start with adding roles until your PROVISIONING SA can execute gcloud compute regions list --project=${my-project} successfully.

[dborisenko]

Hey guys, I managed to solve that problem. It appeared that my provisioner dropped some roles, which are required for GKE to work properly. In particular,

• serviceAccount:service-${project-number}@compute-system.iam.gserviceaccount.com must be roles/compute.serviceAgent

• serviceAccount:service-${project-number}@container-engine-robot.iam.gserviceaccount.com must be roles/compute.serviceAgent.

To find that I disabled Kubernetes engine service and enabled it back and google cloud automatically recovered required roles for that service accounts.