Help , New deployments not possible

Google Cloud Cloud Foundations & Onboarding
1

Hey,

looks like that i have destroyed some permissions. I have already try to recover it with undelete but that was not successfull:

{“ResourceType”:“compute.v1.instance”,“ResourceErrorCode”:“403”,“ResourceErrorMessage”:{“code”:403,“errors”:[{“domain”:“global”,“message”:“Required ‘compute.instances.create’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/instances/openlitespeed-wordpress-1-vm’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.disks.create’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/disks/openlitespeed-wordpress-1-vm’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.subnetworks.use’ permission for ‘projects/XYZ-308006/regions/europe-west1/subnetworks/default’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.subnetworks.useExternalIp’ permission for ‘projects/XYZ-308006/regions/europe-west1/subnetworks/default’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.instances.setMetadata’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/instances/openlitespeed-wordpress-1-vm’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.instances.setTags’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/instances/openlitespeed-wordpress-1-vm’”,“reason”:“forbidden”},{“domain”:“global”,“message”:“Required ‘compute.instances.setServiceAccount’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/instances/openlitespeed-wordpress-1-vm’”,“reason”:“forbidden”}],“message”:“Required ‘compute.instances.create’ permission for ‘projects/XYZ-308006/zones/europe-west1-c/instances/openlitespeed-wordpress-1-vm’”,“statusMessage”:“Forbidden”,“requestPath”:“https://compute.googleapis.com/compute/v1/projects/XYZ-308006/zones/europe-west1-c/instances”,“httpMethod”:“POST”,“suggestion”:"Consider granting permissions to XYZ@cloudservices.gserviceaccount.com"}}

can some one tell me what i have destoryed ?

2

From the logs you have provided, looks that the Google APIs Service Agent has been affected.

Apart from the default service account, all projects enabled with Compute Engine come with a Google APIs Service Agent, identifiable using the email:> > PROJECT_NUMBER@cloudservices.gserviceaccount.com> > This service account is designed specifically to run internal Google processes on your behalf. The account is owned by Google and is not listed in the Service Accounts section of Google Cloud console. By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Google Cloud console.> > Certain resources rely on this service account and the default editor permissions granted to the service account. For example, managed instance groups and autoscaling uses the credentials of this account to create, delete, and manage instances. If you revoke permissions to the service account, or modify the permissions in such a way that it does not grant permissions to create instances, this will cause managed instance groups and autoscaling to stop working.> > For these reasons, you should not modify this service account’s roles unless a role recommendation explicitly suggests that you modify them.

As shown in this Stack Overflow question, you could resolve your issue by running the following command in Cloud Console:

gcloud projects add-iam-policy-binding <PROJECT_ID> \
  --member serviceAccount:<PROJECT_NUMBER>@cloudservices.gserviceaccount.com \
  --role roles/editor
  • <PROJECT_NUMBER>: a 12-digit number, may be obtained from the output of gcloud project list, or, in case your project list is really uncomfortably long, from the string <PROJECT_ID> with gcloud projects describe <PROJECT_ID> --format='get(projectNumber)’.