search

Qovery / documentation

Qovery documentation website
https://docs.qovery.com
Apache License 2.0
16 stars 22 forks source link

Tutorial on https://hub.qovery.com/docs/getting-started/install-qovery/gcp/cluster-managed-by-qovery/quickstart/#attach-gcp-credentials failed #371

Closed adamzanyline closed 10 months ago

adamzanyline commented 10 months ago

Hey!

GCP cluster creation initially failed (see below). After manually enabling " Cloud Resource Manager API" (via web https://console.cloud.google.com/apis/api/cloudresourcemanager.googleapis.com/metrics?project=my-project), the creation worked!

Note: I had already some other APIs (including Kubernetes Engine API) enabled on this project.

BR, adam

Following The tutorial on https://hub.qovery.com/docs/getting-started/install-qovery/gcp/cluster-managed-by-qovery/create-credentials/

https://hub.qovery.com/docs/getting-started/install-qovery/gcp/cluster-managed-by-qovery/quickstart/#attach-gcp-credentials

Here's what went wrong:

  {
    "type": "error",
    "timestamp": "2024-01-09T16:33:47.531464250Z",
    "step": "CreateError",
    "message": {
      "safe_message": "Kubernetes cluster failure create-error"
    },
    "error": {
      "tag": "TERRAFORM_UNKNOWN_ERROR",
      "event_details": {
        "transmitter": {
          "type": "Kubernetes",
          "id": "0-0-0-0-0",
          "name": "XXXXXXXXX Qovery Playground"
        }
      },
      "user_log_message": "Unknown error while performing Terraform command (`terraform apply -lock=false -no-color -auto-approve tf_plan`), here is the error:\n\nError: Request `Create IAM Members roles/logging.logWriter serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/logging.logWriter serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-log_writer[0],\n  on sa.tf line 48, in resource \"google_project_iam_member\" \"cluster_service_account-log_writer\":\n  48: resource \"google_project_iam_member\" \"cluster_service_account-log_writer\" {\n\n\nError: Request `Create IAM Members roles/storage.objectViewer serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/storage.objectViewer serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-gcr[\"anyline-xxxxxxxxx-playground\"],\n  on sa.tf line 76, in resource \"google_project_iam_member\" \"cluster_service_account-gcr\":\n  76: resource \"google_project_iam_member\" \"cluster_service_account-gcr\" {\n\n\nError: Request `Create IAM Members roles/artifactregistry.reader serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/artifactregistry.reader serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-artifact-registry[\"anyline-xxxxxxxxx-playground\"],\n  on sa.tf line 83, in resource \"google_project_iam_member\" \"cluster_service_account-artifact-registry\":\n  83: resource \"google_project_iam_member\" \"cluster_service_account-artifact-registry\" {\n",
      "underlying_error": {
        "message": "Unknown error while performing Terraform command (`terraform apply -lock=false -no-color -auto-approve tf_plan`), here is the error:\n\nError: Request `Create IAM Members roles/logging.logWriter serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/logging.logWriter serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-log_writer[0],\n  on sa.tf line 48, in resource \"google_project_iam_member\" \"cluster_service_account-log_writer\":\n  48: resource \"google_project_iam_member\" \"cluster_service_account-log_writer\" {\n\n\nError: Request `Create IAM Members roles/storage.objectViewer serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/storage.objectViewer serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-gcr[\"anyline-xxxxxxxxx-playground\"],\n  on sa.tf line 76, in resource \"google_project_iam_member\" \"cluster_service_account-gcr\":\n  76: resource \"google_project_iam_member\" \"cluster_service_account-gcr\" {\n\n\nError: Request `Create IAM Members roles/artifactregistry.reader serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \"anyline-xxxxxxxxx-playground\"` returned error: Batch request and retried single request \"Create IAM Members roles/artifactregistry.reader serviceAccount:tf-gke-qovery-z0123456-kky3@anyline-xxxxxxxxx-playground.iam.gserviceaccount.com for project \\\"anyline-xxxxxxxxx-playground\\\"\" both failed. Final error: Error retrieving IAM policy for project \"anyline-xxxxxxxxx-playground\": googleapi: Error 403: Cloud Resource Manager API has not been used in project 1234567891230 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developers console API activation\",\n        \"url\": \"https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1234567891230\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/1234567891230\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"SERVICE_DISABLED\"\n  }\n]\n, accessNotConfigured\n\n  with google_project_iam_member.cluster_service_account-artifact-registry[\"anyline-xxxxxxxxx-playground\"],\n  on sa.tf line 83, in resource \"google_project_iam_member\" \"cluster_service_account-artifact-registry\":\n  83: resource \"google_project_iam_member\" \"cluster_service_account-artifact-registry\" {\n"
      },
      "link": null,
      "hint_message": "Need Help ? Please consult our FAQ to troubleshoot your deployment https://hub.qovery.com/docs/using-qovery/troubleshoot/ and visit the forum https://discuss.qovery.com/"
    }
  }
benjaminch commented 10 months ago

Hey @adamzanyline !

Thanks for reporting :)

I pushed the documentation details a bit too late apparently, but now there is a doc on this point, let me know if you think it's enough / ok => https://hub.qovery.com/docs/getting-started/install-qovery/gcp/cluster-managed-by-qovery/initialize-your-cloud-account-to-deploy-GKE/

Cheers !

adamzanyline commented 10 months ago

Hi @benjaminch that is very helpful indeed!

Potential icing on the cake: the docs could directly link to the APIs. Assuming one is already in the correct project, these links should generally work for everyone (the parameter ?project= will be auto applied based on the recently visited project)

BR adam

benjaminch commented 10 months ago

Let's put some icing then :) https://github.com/Qovery/documentation/pull/372