When I am trying to create a Cloud SQL instance with private ip I get the following error message when configuring the Private Service Access:
Permission denied on resource project 822070555046. Help Token: AX4KC-gUWKiK5KFuPLH6UY4uFhqTf93FkyuzUgiagGyDq7nVWZfIDDAaaYC_PkkLIt1EFU3rfXsen1Ui7tZ_eJMTrksH06t5-12cK1WDFZXavamQ
I have the right permissions I checked the documentation! The referenced project (822070555046) in the message does not exist under my projects (checked with gcloud projects describe 822070555046).
Any idea why I am getting this error message? A few weeks ago I was able to create PSA without any error, with the same permissions in the same project!!!
Thanks for any help!!!
Tamas
Solved! Go to Solution.
Based on the details and your previous troubleshooting, here's the plan you might to follow:
Resource Manager API:
Project Linkage and Quotas:
Cross-Project Considerations:
Terraform State & Service Account:
terraform refresh
: Run this to ensure your Terraform state is in sync with Google Cloud's reality.Explicit Network User Role:
roles/compute.networkUser
to the service account on the relevant network can resolve subtle permission hiccups.Support & Community Engagement:
Additional Thoughts:
TF_LOG
environment variable and detailed Google Cloud logs often reveal clues.I am having exactly the same problem. There seems to be some maintenance actions going on at GCP, maybe these have some effect?
Yes maybe, this error has existed for about 2 days. Others have the same problem:
This error in Google Cloud SQL typically indicates that your user account or service account lacks the necessary permissions to perform the actions needed to create a Cloud SQL instance with Private Service Access (PSA).
Troubleshooting Steps:
Project Verification:
gcloud
commands. Use gcloud config list project
to verify your gcloud
configuration.IAM Permissions:
roles/compute.networkAdmin
or at least roles/compute.networkUser
for network management.roles/cloudsql.admin
for Cloud SQL administration.roles/servicenetworking.connectionUser
role is essential for establishing PSA connections.API Verification:
Additional Considerations:
If the Issue Persists (Requesting Further Assistance):
To get more targeted help, please provide the following:
If all else fails, seek assistance from Google Cloud Support.
Thank you for the detailed explanation and troubleshooting steps, but the problem is not solved 😞
When I use Cloud console to create PSA I get this message:
This project in the message does not exist, here are my projects with gcloud projects list:
With terraform I get the same error message, here is the code snippet:
I use Cloud Foundation Fabric modules in these snippets.
The error message when using Terraform:
As I mentioned, I have already deployed this project with Terraform with the same roles and everything went well. Have no idea why I get this error.
Thanks for further help!
Tamas
Based on the details and your previous troubleshooting, here's the plan you might to follow:
Resource Manager API:
Project Linkage and Quotas:
Cross-Project Considerations:
Terraform State & Service Account:
terraform refresh
: Run this to ensure your Terraform state is in sync with Google Cloud's reality.Explicit Network User Role:
roles/compute.networkUser
to the service account on the relevant network can resolve subtle permission hiccups.Support & Community Engagement:
Additional Thoughts:
TF_LOG
environment variable and detailed Google Cloud logs often reveal clues.Thanks for the troubleshooting steps again. I followed your instructions and checked everything you mentioned. The issue is still not solved, BUT I have created a new project where I was able to set up a PSA without any problem! So more or less the issue is solved, but still have no idea what caused the problem. This is a side-project without organization and using the free trial usage. Maybe it has some limitations, although the limits and quotas are not reached!
Thanks again for your help! Your troubleshooting steps were very useful and instructive!
Tamas
@lakatostomi was it solved? If so, do we know exactly what helped to solve it?
Or as per reddit post - was it solved by not changing anything and it was solved from Google end?
I could solve the issue only by creating a new project and a new deployment as I posted to Reddit!
I do not know the exact reason why PSA works in a new project and fails in the old one.
We got answer from GCP support:
we are seeing this issue not due to a permission aspect, but due to the fact that the resources associated with the tenant project 1234567890 have been removed previously. When there are no resources such as a servicenetworking PSA connector, the tenant project is not populated and automatically marked for deletion. This is the reason for which we are seeing this following message:
Permission denied on resource project 1234567890. Help Token: AX4KC-iDTcdGoCHgq--qFVhQ5FvMFgL2PmuYV
Therefore, in regards to unlocking this we have two options - wait for the resources to be automatically cleared or issue a request to restore the currently marked for deletion 104096410161 project.”
Great information! Thanks for sharing!
This error appeared in my project that has been stable and working fine for many years. Waiting for 24 hours has not fixed the issue.
Thanks for posting Google Support reply @end. Unfortunately their reply does not seem actionable.
How do we fix our broken projects?
What error message are you getting?
Hi @BartPudlo , the error occurs when I try to create a Private Service Connection to my VPC.
This is the error message:
"Error waiting for Create Service Networking Connection: Error code 7, message: Permission denied on resource project 01234567890123."
Things to note:
- project 01234567890123 is not owned by me. I cannot see it or change permissions in it.
- this same configuration previously worked fine for years.
- several other people had this issue start happening in the last week. there are several GCP support forum posts and reddit posts with same error message about missing permissions in a project they don't control
Other posters worked around the issue by abandoning their GCP project and creating a new GCP project. This workaround is not an option for me.
Update: resolved the issue by changing the name of the VPC I was trying to create and deploy.
In terraform resource "google_compute_network" I changed the 'name' element by one character.
And now resource "google_service_networking_connection" applies onto that VPC with no problem.
It seems something with the VPC name conflicted in the backend. Maybe I deleted a VPC with that same name a few years ago?
Got it! Happy to hear that now it is solved.
I will try to investigate it deeper to see what might be causing this issue.
Thanks!
We're also hitting this issue.
In our case we've also destroyed the VPC in the past and created a new one and are hitting this issue... We've done this many times in the past without issues, this is a new issue.
It's not really a permanent solution, but to confirm I also tried changing the name of the VPC that I'm using and it indeed resolves the issue.
Which to me sounds like a bug, specially considering this used to work fine!