picatz
commented
1 year ago The instance's credentials are provisioned using the service_account block for a googe_compute_instance:
https://github.com/picatz/terraform-google-nomad/blob/64b9ad2e823877c5756611d756f521d2205a9f45/modules/vm/vm.tf#L48-L56
Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the
cloud-platformscope. See a complete list of scopes here.Note:
allow_stopping_for_updatemust be set to true or your instance must have adesired_statusofTERMINATEDin order to update this field.
🤔 I do not see this error when I deploy to a personal GCP project. It might be possible that your instance does not have the required permissions.
You can start debugging this in a variety of ways, but here's a good place to get started: after getting an SSH session on any of the server instances, run the following command:
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"
983639612205-compute@developer.gserviceaccount.com/
default/☝️ 983639612205-compute@developer.gserviceaccount.com was created for this instance, and your service account is likely similar, but different. There is also default, which contain the default permissions. Continue to use curl to dig deeper:
$ curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/983639612205-compute@developer.gserviceaccount.com/scopes"
https://www.googleapis.com/auth/compute.readonly
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.writeNote: my
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopescontains the same information as above.
I have this error when trying to setup the consul server, not sure how to add the required permissions?