Cloud container clusters create `compute.networks.get` permission error

Question

I am trying to create a cluster with GKE. I have a project I have been using already.

When I run

gcloud container clusters create cluster1

I get the following:

ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.networks.get' permission for 'projects//global/networks/default'.

The same thing happens when I use the web UI. Both my service account and my user have owner roles.

I have tried the following to get the cluster create command to work:

1. I tried adding a policy binding for the project for my existing service account:

gcloud projects add-iam-policy-binding <my-project> \
    --member serviceAccount:<my-user>@<my-project>.iam.gserviceaccount.com \
    --role  roles/compute.admin

2. I read enabling the container api service was required

gcloud services enable container.googleapis.com

3. Started over. I deleted the service account, created a new one and activated the creds with:

gcloud auth activate-service-account <my-user>@<my-project>.iam.gserviceaccount.com --key-file ${GOOGLE_APPLICATION_CREDENTIALS}

4. I also tried authenticating with my account user:

gcloud auth login

None of these work and I can't create a cluster

Answer 1

I think I will answer my own question here. From service account docs

When you create a new Cloud project using GCP Console and if Compute Engine API is enabled for your project, a Compute Engine Service account is created for you by default. It is identifiable using the email:

[email protected]

I had delete the default created service accounts somehow and possible the associated roles. I think this is why I couldn't create a cluster under my project anymore. Rather than try to figure out how to recreate, I decided it was best to just start a new project. Afterwords, the cluster create API and console work just fine.

Answer 2

Debug:

gcloud container subnets list-usable --project service-project --network-project shared-vpc-project

If you get warning in output:

WARNING: Failed to get metadata from network project. GCE_PERMISSION_DENIED: 
Google Compute Engine: Required 'compute.projects.get' permission for 
'projects/shared-vpc-project'

It means your google managed gke service account in host project doesn't exist.

To solve go to host project apis and enable Kubernetes Engine API. If it's enabled, disable it and enable again back.