search

skyplane-project / skyplane

🔥 Blazing fast bulk data transfers between any cloud 🔥
https://skyplane.org
Apache License 2.0
1.09k stars 62 forks source link

[bug] fail to init on GCP #875

Open lhqing opened 1 year ago

lhqing commented 1 year ago

Describe the bug I try to init skyplane on GCP, but failed due to setIamPolicy failure

To Reproduce

$ skyplane init

(1) Configuring AWS:
    Do you want to configure AWS support in Skyplane? [Y/n]: n
    Disabling AWS support

(2) Configuring Azure:
    Do you want to configure Azure support in Skyplane? [Y/n]: n
    Disabling Azure support

(3) Configuring GCP:
    Do you want to configure GCP support in Skyplane? [Y/n]: Y
    GCP region config missing! GCP will be reconfigured.
    GCP credentials found in GCP CLI
    GCP credentials found, do you want to enable GCP support in Skyplane? [Y/n]: Y
    Enter the GCP project ID [ecker-bican]:
    Using GCP service account skyplane-manual
    Error saving GCP region config
    <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects/ecker-bican:setIamPolicy?alt=json returned "Policy update access denied.". Details: "Policy update access denied.">
Traceback (most recent call last):
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/cli/cli_impl/init.py", line 260, in load_gcp_config
    auth.save_region_config()
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/utils/imports.py", line 33, in wrapped
    return fn(*modules_imported, *args, **kwargs)
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/compute/gcp/gcp_auth.py", line 32, in save_region_config
    service_account_credentials_file = self.service_account_credentials  # force creation of file
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/compute/gcp/gcp_auth.py", line 68, in service_account_credentials
    self._service_account_email = self.create_service_account(self.service_account_name)
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/compute/gcp/gcp_auth.py", line 179, in create_service_account
    return retry_backoff(read_modify_write)  # retry loop needed for concurrent policy modifications
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/utils/retry.py", line 30, in retry_backoff
    raise e
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/utils/retry.py", line 27, in retry_backoff
    return fn()
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/skyplane/compute/gcp/gcp_auth.py", line 176, in read_modify_write
    service.projects().setIamPolicy(resource=self.project_id, body={"policy": policy}).execute()
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/Users/hanqingliu/mambaforge/lib/python3.10/site-packages/googleapiclient/http.py", line 938, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://cloudresourcemanager.googleapis.com/v1/projects/ecker-bican:setIamPolicy?alt=json returned "Policy update access denied.". Details: "Policy update access denied.">

    Disabling Google Cloud support

Config file saved to /Users/hanqingliu/.skyplane/config
To disable performance logging info:
https://skyplane.org/en/latest/performance_stats_collection.html

Environment info (please complete the following information):

Additional context We have an institution cloud admin who helps creating projects. My account probably doesn't have permission to set IAMs for skyplane service account.

Thanks!

sarahwooders commented 1 year ago

Hi @lhqing - thanks for posting this! Do you have any other service accounts with permissions to access cloud object stores that you can get a key file for? Unfortunately we need service account credentials to access the Google Cloud Storage APIs.