Google Compute Engine: Required 'compute.zones.get' permission error

问题

I am trying to create a Kubernetes cluster in Google Cloud Platform and I receive the following error when I try to create the cluster from the Web app:

An unknown error has occurred in Compute Engine: "EXTERNAL: Google Compute Engine: Required 'compute.zones.get' permission for 'projects/my-project-198766/zones/us-west1-a'". Error code: "18"

When I use gcloud I receive this response:

(gcloud.container.clusters.create) ResponseError: code=403, message=Google Compute Engine: Required 'compute.zones.get' permission for 'projects/my-project-198766/zones/us-west1-a'

Please note that I have the Owner role and I can create VM instances without any issues.

Any ideas?

回答1:

This sort of issue might arise if somehow your cloudservices robot gets removed as a project editor. My best guess is that in your case this is the issue.

This might happen due to API call which has SetIamPolicy that is missing cloudservices robot from the "roles/editor" bindings. SetIamPolicy is a straight PUT, it will override with whatever policy is provided in the request. You can get the list of IAM policies for your project with below command as given in this article.

gcloud projects get-iam-policy [project-id]

From the list, you can check whether below service account has the editor permission or not.

[id]@cloudservices.gserviceaccount.com

To fix the issue, you can grant the mentioned service account "Editor" permission and check whether that solves the issue or not.

Hope this helps.

回答2:

in my case I deleted the service accounts / IAM's or whatever and that very same error message popped up, when I tried to create a kubernetes cluster.

I asked Google to recreate my service accounts, and they mentioned that you can recreate service accounts and their permissions simply by enabling them again. So, in my case I ran the following two commands in order to make kubernetes work again:

gcloud services enable compute
gcloud services enable container

Here is the link they gave me: https://issuetracker.google.com/64671745#comment2

回答3:

I think I got it. I tried to follow the advice from GitHub. The permissions I needed to set on my account (called blahblah-compute@developer.gserviceaccount.com) were:

roles/compute.instanceAdmin roles/editor roles/iam.serviceAccountUser

The last one seemed to be crucial.

来源：https://stackoverflow.com/questions/48232189/google-compute-engine-required-compute-zones-get-permission-error