[Help] Required 'compute.zones.list' permission

[samanthakem]

Hi,

When running the following command (see zone-printer example for more info):

kubemci create zone-printer --ingress=ingress/nginx.yaml --gcp-project=$PROJECT --kubeconfig=./zpkubeconfig

I get:

Error: Error in creating load balancer: error in creating cloud interface: unexpected response listing zones: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/$PROJECT', forbidden

Could someone help me? I have added the scopes present in https://cloud.google.com/compute/docs/reference/beta/zones/list when creating the instances and it does not seem to work.

[nikhiljindal]

How did you bring up the cluster? Is this a GKE cluster?

[nikhiljindal]

You can verify if GCE APIs are enabled in your project, by going to https://console.cloud.google.com/apis/api/compute.googleapis.com/overview?project=<project-name>.

It should show you an Enable or Disable button there depending on the current status.

[samanthakem]

@nikhiljindal thanks for the quick reply. Yes, it is a GKE cluster, I followed all the steps the document mentions. GCE APIs are enabled already in my project.

[nikhiljindal]

hmm. To ensure that your gcloud and project are configured correctly, try running gcloud compute zones list and see if it works?

fwiw, This seems like a generic cluster setup problem and not specific to kubemci. If you try creating a single cluster ingress, you should get the same error. I see a similar question was asked for GKE before, but it doesnt give any specific steps to resolve it: https://stackoverflow.com/questions/41463868/kubernetes-fails-to-create-loadbalancer-on-gce-required-compute-instances-list

Will try to see if I can find something else

[samanthakem]

@nikhiljindal I ran gcloud compute zones list and it works normally. I have created a single ingress by running kubectl create -f ingress/nginx in cluster-asia-east and it worked!

[nikhiljindal]

hmm thats surprising. This is where that error is coming from: https://github.com/kubernetes/kubernetes/blob/64ed037e685bc08da2b8a544f69f30dec2f13c39/pkg/cloudprovider/providers/gce/gce.go#L778.

I do not have any smart answer other than just ensuring that you are using the right project ID. With kubemci, are you using your gcloud default project ID (the same one as printed by gcloud config get-value project)?

[nikhiljindal]

If you are on slack and want a faster debug cycle, feel free to ping me on kubernetes.slack.com. Same handle there.

[G-Harmon]

Could it have something to do with the "beta" in this URL https://cloud.google.com/compute/docs/reference/beta/zones/list ?

[samanthakem]

@nikhiljindal I am using the right project id... ok, I will do some more research here and will reach you out there, lemme know if you find anything else too! samanthakem in k8s slack workspace.

@G-Harmon that's what I thought to be honest but still...

[madhusudancs]

I would also suggest running gcloud compute zones list --project=$PROJECT and checking if that works.

[samanthakem]

It works @madhusudancs

[madhusudancs]

That's curious. Does your kubemci invocation run in the exact same environment as your gcloud invocation? Same shell, same environment variables etc.? I am wondering if your kubemci invocation is accidentally using a different GOOGLE_APPLICATION_CREDENTIALS.

[samanthakem]

Guess what? I have two GCP accounts (work and personal) and I my environment was set with one while I was using the project that belongs to another one! :expressionless: :expressionless: :expressionless:

Thanks for your help tho, folks!

@nikhiljindal would you please close this issue? Thanks a lot!

[nikhiljindal]

Glad that you were able to find the problem @samanthakem!

Would love to get your feedback on the tool. How are you using it and what works and doesnt work as expected? Any suggestions for improvement? Thanks!