Closed maelp closed 1 year ago
The instance's credentials are provisioned using the service_account
block for a googe_compute_instance
:
https://github.com/picatz/terraform-google-nomad/blob/64b9ad2e823877c5756611d756f521d2205a9f45/modules/vm/vm.tf#L48-L56
Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the
cloud-platform
scope. See a complete list of scopes here.Note:
allow_stopping_for_update
must be set to true or your instance must have adesired_status
ofTERMINATED
in order to update this field.
🤔 I do not see this error when I deploy to a personal GCP project. It might be possible that your instance does not have the required permissions.
You can start debugging this in a variety of ways, but here's a good place to get started: after getting an SSH session on any of the server instances, run the following command:
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"
983639612205-compute@developer.gserviceaccount.com/
default/
☝️ 983639612205-compute@developer.gserviceaccount.com
was created for this instance, and your service account is likely similar, but different. There is also default
, which contain the default permissions. Continue to use curl
to dig deeper:
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/983639612205-compute@developer.gserviceaccount.com/scopes"
https://www.googleapis.com/auth/compute.readonly
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
Note: my
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes
contains the same information as above.
I have this error when trying to setup the consul server, not sure how to add the required permissions?