search

GoogleCloudPlatform / gcpdiag

gcpdiag is a command-line diagnostics tool for GCP customers.
https://gcpdiag.dev/
Apache License 2.0
288 stars 67 forks source link

`--billing-project` argument not working anymore since 0.59 #58

Closed eyalzek closed 1 year ago

eyalzek commented 1 year ago

I run gcpdiag lint by setting the --billing-project:

$ gcpdiag lint --billing-project <PROJECT_WITH_BILLING_ENABLED> --project <SERVICE_PROJECT>

This worked well up until v0.58, but currently broken with v0.59:

$ ./gcpdiag lint --billing-project <PROJECT_WITH_BILLING_ENABLED> --project <SERVICE_PROJECT>
WARNING:googleapiclient.http:Encountered 403 Forbidden with reason "PERMISSION_DENIED"
Traceback (most recent call last):
  File "/opt/gcpdiag/bin/gcpdiag", line 70, in <module>
    main(sys.argv)
  File "/opt/gcpdiag/bin/gcpdiag", line 43, in main
    lint_command.run(argv)
  File "/opt/gcpdiag/gcpdiag/lint/command.py", line 232, in run
    project = crm.get_project(args.project)
  File "/opt/gcpdiag/gcpdiag/caching.py", line 155, in _cached_api_call_wrapper
    result = func(*args, **kwargs)
  File "/opt/gcpdiag/gcpdiag/queries/crm.py", line 77, in get_project
    response = request.execute(num_retries=config.API_RETRIES)
  File "/opt/gcpdiag/.venv/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/opt/gcpdiag/.venv/lib/python3.9/site-packages/googleapiclient/http.py", line 938, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v3/projects/<SERVICE_PROJECT>?alt=json returned "Caller does not have required permission to use project <SERVICE_PROJECT>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<SERVICE_PROJECT> and then retry. Propagation of the new permission may take a few minutes.". Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developer console IAM admin', 'url': 'https://console.developers.google.com/iam-admin/iam/project?project=<SERVICE_PROJECT>'}]}, {'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'USER_PROJECT_DENIED', 'domain': 'googleapis.com', 'metadata': {'service': 'cloudresourcemanager.googleapis.com', 'consumer': 'projects/<SERVICE_PROJECT>'}}]">

As you can see, it tries to use <SERVICE_PROJECT> as the billing project even though I explicitly set it to another one. For now I'm using 0.58 again and it works as expected.

schweikert commented 1 year ago

Hi Eyal, thanks for reporting this. I think that I found the bug and a fix is in review which should get merged soon.