This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Adding External IP to new Vertex Instance fails

Posted on 01-07-2025 06:49 AM
jpell29
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I have a new Vertex Instance stood up to replace the EOL Notebooks. The new instance was created and is working fine. The issue that I am running into is that when I try to reserve an external IP for it and attach it to that new instance, this is the error I get:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'perception-vertex-instance-1'"
},
"authenticationInfo": {
"principalEmail": "jpelligrino@company.com"
},
"requestMetadata": {
"callerIp": "74.98.55.124",
"callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2025-01-07T14:34:11.462021Z",
"reason": "8uSywAYQGg5Db2xpc2V1bSBGbG93cw",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.deleteAccessConfig",
"authorizationInfo": [
{
"resource": "projects/company-eng-per-vertex/zones/us-west1-b/instances/perception-vertex-instance-1",
"permission": "compute.instances.deleteAccessConfig",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/company-eng-per-vertex/zones/us-west1-b/instances/perception-vertex-instance-1",
"type": "compute.instances"
},
"permissionType": "ADMIN_WRITE"
}
],
"resourceName": "projects/company-eng-per-vertex/zones/us-west1-b/instances/perception-vertex-instance-1",
"request": {
"@type": "type.googleapis.com/compute.instances.deleteAccessConfig",
"accessConfig": "external-nat",
"networkInterface": "nic0"
},
"response": {
"@type": "type.googleapis.com/error",
"error": {
"errors": [
{
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'perception-vertex-instance-1'",
"domain": "global",
"reason": "forbidden"
}
],
"code": 403,
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'perception-vertex-instance-1'"
}
},
"resourceLocation": {
"currentLocations": [
"us-west1-b"
]
}
},
"insertId": "-c6wwpdekipyy",
"resource": {
"type": "gce_instance",
"labels": {
"instance_id": "2215688526347592502",
"project_id": "company-eng-per-vertex",
"zone": "us-west1-b"
}
},
"timestamp": "2025-01-07T14:34:11.341683Z",
"severity": "ERROR",
"labels": {
"compute.googleapis.com/root_trigger_id": "cd67f40d-901f-4b7b-8e39-5f913057b47e"
},
"logName": "projects/company-eng-per-vertex/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2025-01-07T14:34:11.617643431Z"
}

Have no idea what is going on, and Google appears to be just as confused. All perms appear to be set (checked via Policy Analyzer).

HELP!! lol

0 3 562
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @jpell29,

Welcome to Google Cloud Community!

The error typically means that the account you're using lacks the necessary permissions to perform the operation on the instance or network interface. 

Verify IAM roles and Permissions:

  1. Go to IAM & Admin > IAM in Google Cloud Console.
  2. Ensure that the user account has the correct role (roles/compute.admin or another suitable role) attached in the relevant project and for the relevant resources.
  3. If you're not using the project’s owner role, verify the explicit permissions by viewing the policy bindings.

Note below permissions that should explicitly assigned to the user or service account:

  • compute.instances.setMetadata (if modifying network configurations)
  • compute.instances.updateNetworkInterface (specifically for attaching external IPs)
  • compute.instances.deleteAccessConfig (for modifying the access configuration)
  • Ensure the user has roles/compute.admin or a custom role that includes all of the above permissions.

You may also check below links for reference: 

Troubleshooting Vertex AI Workbench

Limitations of Vertex AI Workbench Instances

You can't edit the underlying VM of a Vertex AI Workbench instance by using the Google Cloud console or the Compute Engine API. To edit a Vertex AI Workbench instance's underlying VM, use the projects.locations.instances.patch method in the Notebooks API or the gcloud workbench instances update command in the Google Cloud SDK.

For more thorough investigation and detailed insights you may reach out to Google Cloud Support.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Posted on --/--/---- --:-- AM
jpell29
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks @diannemcm. From the insane amount of homework I've done with this, I dont think its even possible per a Google Rep, as well as Gemini basically saying no way since you run the risk of exposing the instance to the world. We've done this with Notebook instances, just not the instances Notebooks need to be migrated too (this is where its failing to bind).
I think we would be able to resolve internally either way, so to be safe, will more then likely go that route; but again for clarity, per every resource I have, including Gemini, you cannot assign an external IP to a Workbench instance, mainly because of security. Maybe you can, (shrug), but I have not found a way even with permissions and what not.

 

0 Likes

Posted on --/--/---- --:-- AM
rust1506
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi community,
I'm trying to specify externalIP for migrated workbench instance using projects.locations.instances.patch method(link😞

Request parameters
name
projects/{project_id}/locations/{zone}/instances/{instance_name}
updateMask
gceSetup.networkInterfaces.accessConfigs.externalIp
Request body
{
"gceSetup": {
"networkInterfaces": [
{
"network": "https://www.googleapis.com/compute/v1/projects/{Project_name}global/networks/default",
"subnet": "https://www.googleapis.com/compute/v1/projects/{Project_name}/regions/us-central1/subnetworks/defaul...",
"accessConfigs": [
{
"externalIp": "$IP"
}
]
}
]
}
}

get error
{
"error": {
"code": 400,
"message": "failing overall update because mask path \"gce_setup.network_interfaces.access_configs.external_ip\" is not supported, invalid argument",
"status": "INVALID_ARGUMENT"
}
}

1. what am I doing wrong?
2. or externalIP is a limitation after migration the workbench?
3. what options do we have to connect IDE to workbench?

thank you

0 Likes
Top Labels in this Space
Top Solution Authors
View all