This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

missing role serviceusage.serviceUsageConsumer

Posted on 10-17-2023 07:19 AM
madhu_yadav
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello Team,

I am creating a baremetal cluster, wherein I created the config as below

bmctl create config -c bm-cluster-demo --enable-apis --create-service-accounts --project-id=anthos-151023

After updating the env specific values in the yaml and while creating the cluster, I am getting an error related to missing role. I tried adding this role to my account, it didn't work and getting the same error

bmctl create cluster -c bm-cluster-demo

======

..........
I1017 13:58:26.377951    2058 validate.go:125] Validating Cluster.Authentication authentication: <nil>
I1017 13:58:26.378102    2058 file_check.go:19] [Runtime Check] Start Check for file --gcrKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-gcr.json.
I1017 13:58:26.403708    2058 file_check.go:23] [Runtime Check] End Check for file --gcrKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-gcr.json.
I1017 13:58:26.403792    2058 file_check.go:19] [Runtime Check] Start Check for file --gkeConnectAgentServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-connect.json.
I1017 13:58:26.403847    2058 file_check.go:23] [Runtime Check] End Check for file --gkeConnectAgentServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-connect.json.
I1017 13:58:26.403865    2058 file_check.go:19] [Runtime Check] Start Check for file --gkeConnectRegisterServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-register.json.
I1017 13:58:26.403890    2058 file_check.go:23] [Runtime Check] End Check for file --gkeConnectRegisterServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-register.json.
I1017 13:58:26.403921    2058 file_check.go:19] [Runtime Check] Start Check for file --cloudOperationsServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-cloud-ops.json.
I1017 13:58:26.403946    2058 file_check.go:23] [Runtime Check] End Check for file --cloudOperationsServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-cloud-ops.json.
.........
I1017 13:58:27.852739    2058 service_account.go:68] [Runtime Check] Start: Check for service account projects/anthos-151023/serviceAccounts/anthos-baremetal-register@anthos-151023.iam.gserviceaccount.com
I1017 13:58:29.365819    2058 service_account.go:68] [Runtime Check] Start: Check for service account projects/anthos-151023/serviceAccounts/anthos-baremetal-cloud-ops@anthos-151023.iam.gserviceaccount.com
...........
E1017 13:58:32.894997    2058 create_cluster.go:134]  "msg"="Failed to bootstrap." "error"="create kind cluster failed: error validating cluster config: 2 errors occurred:\n\t* GKERegister check failed: 1 error occurred:\n\t* googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developer console IAM admin\",\n        \"url\": \"https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/anthos-151023\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"USER_PROJECT_DENIED\"\n  }\n]\n, forbidden\n\n\n\t* ClusterOperations check failed: googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.Help\",\n    \"links\": [\n      {\n        \"description\": \"Google developer console IAM admin\",\n        \"url\": \"https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\"\n      }\n    ]\n  },\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"googleapis.com\",\n    \"metadata\": {\n      \"consumer\": \"projects/anthos-151023\",\n      \"service\": \"cloudresourcemanager.googleapis.com\"\n    },\n    \"reason\": \"USER_PROJECT_DENIED\"\n  }\n]\n, forbidden\n\n"  
E1017 13:58:32.922975    2058 console.go:110] exit with error 
E1017 13:58:32.923057    2058 console.go:110] Error creating cluster: create kind cluster failed: error validating cluster config: 2 errors occurred:
* GKERegister check failed: 1 error occurred:
* googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developer console IAM admin",
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/anthos-151023",
      "service": "cloudresourcemanager.googleapis.com"
    },
    "reason": "USER_PROJECT_DENIED"
  }
]
, forbidden
 
 
* ClusterOperations check failed: googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developer console IAM admin",
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/anthos-151023",
      "service": "cloudresourcemanager.googleapis.com"
    },
    "reason": "USER_PROJECT_DENIED"
  }
]
, forbidden
Solved Solved
1 3 2,255
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
madhuyadav
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

There was another issue when the config was being created from a vm instance. Had to do the  login as below from the admin workstation vm

gcloud auth login user@domain.com
gcloud auth application-default login

PS: Thanks to the author of https://cloudsolutions.academy/how-to/anthos-in-a-nutshell/anthos-clusters-on-bare-metal/installing-...

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @madhu_yadav,

Welcome to the Google Cloud Community!

In your post, you mentioned that:

@madhu_yadav wrote:

I tried adding this role to my account, it didn't work and getting the same error

Have you added the roles with the serviceusage.serviceUsageConsumer or serviceusage.services.use permissions to the service accounts? Please attach a screenshot of this (blur out any personal details).

You can attach roles to a service account and to a user, but if you are missing a role, you may be denied access to the service.

If both the user and service accounts have the necessary permissions, this might be an issue with Workload Identity.

If the above options don't work, you can contact Google Cloud Support to further look into your case. Thank you!

Best, 
Lawrence

 

Jump to Solution

Posted on --/--/---- --:-- AM
madhuyadav
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Works fine after adding 'Service Consumer Usage' role to 3 of the service accounts as in attached screenshot

madhuyadav_0-1697809162631.png

 

Jump to Solution

Posted on --/--/---- --:-- AM
madhuyadav
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

There was another issue when the config was being created from a vm instance. Had to do the  login as below from the admin workstation vm

gcloud auth login user@domain.com
gcloud auth application-default login

PS: Thanks to the author of https://cloudsolutions.academy/how-to/anthos-in-a-nutshell/anthos-clusters-on-bare-metal/installing-...

Jump to Solution
Top Labels in this Space