Solved: Cannot list private connections

martonowibowo · 06-07-2023 01:00 AM

Does any have some problem with me?
I cannot list the private connection services. But, I can list the allocated ip address ranges.
Below is the error with the gcloud command.

ERROR: (gcloud.services.vpc-peerings.list) User [john.doe@gm.com] does not have permission to access services instance [-] (or it may not exist): Required 'compute.networks.get' permission for 'projects/1234567890/global/networks/default'
Help Token: jashdkjashdjkashdjksa
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: '120002'
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: servicenetworking.googleapis.com
reason: COMPUTE_IO_EXTERNAL

nandaobireddy

1) Go to IAM & Admin > IAM section and select Include Google-provided role grants checkbox on the top right

2) Verify that the default account in the format service-(project number)@service-networking.iam.gserviceaccount.com is available and the role servicenetworking.serviceAgent is assigned to it

3) check if the account is missing, create the account and assign the role servicenetworking.serviceAgentO

4)once the account is created, enable the private service connectio n again.

View solution in original post

Marvin_Lucero

Hi @martonowibowo,

Based from that error that you've shared, the service accounts in the service project that will use its resouce sub-network must be allowed. To do this, you just have to grant the necessary permissions to the service account(s) by including the 'roles/compute.networkUser' role. This role enables access to a shared VPC network.

martonowibowo

Hi

Thanks for the reply, but im still face the problem.
Even my user role is owner an editor and also attache the compute.networkUser role.

Please let me know if something wrong with the current roles.

Thanks

oscar_f

Hi.

I am facing the same issue both using gcloud command and in the web UI (VPC Networks > Private Service Connections > PRIVATE CONNECTIONS TO SERVICES).

Is there anyone who has had this problem and has been able to solve it?

nandaobireddy

1) Go to IAM & Admin > IAM section and select Include Google-provided role grants checkbox on the top right

2) Verify that the default account in the format service-(project number)@service-networking.iam.gserviceaccount.com is available and the role servicenetworking.serviceAgent is assigned to it

3) check if the account is missing, create the account and assign the role servicenetworking.serviceAgentO

4)once the account is created, enable the private service connectio n again.

TimyShark-edu

Hello, I would like to share some of my experience in this problem

1. I was following this tutorial Connect Cloud Run to Cloud SQL

2 to the point I need to create IP ranges and then Private Connection to Services,

in Console, experiment went very well, no problems,

In gcloud cli, I can create the the IP ranges

gcloud compute addresses create my-vpc-private-address-range \

--global --purpose=VPC_PEERING --prefix-length=16 \

--description="peering range for Cloud SQL" --network=my-vpc

(I've created my-vpc)

this command went well.

Then the command

gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com \

--ranges=my-vpc-private-address-range --network=my-vpc\

--project=my-project-id-123456

I got this error

ERROR: (gcloud.services.vpc-peerings.connect) The operation "operations/pssn.p24-897188343044-31bb71cb-0f67-42e1-9bd9-b7e9fcdd5b0b" resulted in a failure "Allocated IP range 'my-vpc-private-address-range' not found in network.

I am guessing it is because sync latency that the vpc-peerings service hasn't caught up yet?

Any help would be appreciated.

And yes, I check the IAM and service-<project-number>@.... is having the right permissions as stated.