Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GCP - User ... does not have permission to access projects instance

Tags:

google-cloud-platform

gcloud

service-accounts

google-iam

I was using gcloud with a service account to try to figure out why my API Gateway endpoint didn't work when I ran into another problem. First I ran this export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential/fils/PROJECTNAME-hash.json. Then I ran gcloud services list --available and I got this in my terminal:

ERROR: (gcloud.services.list) User [<SERVICE ACCOUNT NAME>@<MY PROJECT NAME>.iam.gserviceaccount.com] does not have permission to access projects instance [<MY PROJECT NAME>] (or it may not exist): Permission denied to list services for consumer container [projects/<MY PROJECT ID>]
Help Token: <WHAT LOOKS LIKE AN API KEY>
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.services.list&resource=projects/<MY PROJECT NAME>
    type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: serviceusage.googleapis.com
  metadata:
    permission: serviceusage.services.list
    resource: projects/<MY PROJECT NAME>
    service: cloudresourcemanager.googleapis.com
  reason: AUTH_PERMISSION_DENIED

I believe I have the correct permissions enabled in my service account:
enter image description here

So why am I getting this error and how do I get gcloud services list --available to work with the selected service account?

like image 781
ChristianOConnor Avatar asked Oct 24 '25 14:10

ChristianOConnor

1 Answers

This problem seemed to stem from the fact that I needed to set the service account to have the role of serviceusage.serviceUsageViewer. In order to do that I need to run the add-iam-policy-binding command but this command needs to be run with an account that has account owner/editor permissions.

Step 1 was to switch the account in gcloud to the master gmail account with which I signed up for GCP services.

I set my gcloud "account" to my master Gmail account with gcloud config set account <MASTER GMAIL ACCOUNT>. Then I ran:

gcloud projects add-iam-policy-binding <PROJECT ID> \
    --member "serviceAccount:<SERVICE ACCOUNT>@<PROJECT ID>.iam.gserviceaccount.com" \
    --role "roles/serviceusage.serviceUsageViewer"

That command succeeded. I set the gcloud account back to the service account with gcloud config set account <SERVICE ACCOUNT EMAIL> and then ran gcloud services list --available. This command worked this time.

like image 186
ChristianOConnor Avatar answered Oct 26 '25 07:10

ChristianOConnor

Sign in to Comment

Related questions

Duplicate events in Eventarc triggered Google Cloud Run service
Google App Engine "Exceeded soft memory limit on "
Automated BigTable backups
Access GCP Docker image from different project
Firestore: How to get all documents where a specific field exist
How to set Region or Location when deploying to Cloud Run?
Where to put Google Cloud client/service account secret json file?
How to add the `default-allow-http`

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!