missing role serviceusage.serviceUsageConsumer

Hello Team,

I am creating a baremetal cluster, wherein I created the config as below

bmctl create config -c bm-cluster-demo --enable-apis --create-service-accounts --project-id=anthos-151023

After updating the env specific values in the yaml and while creating the cluster, I am getting an error related to missing role. I tried adding this role to my account, it didn’t work and getting the same error

bmctl create cluster -c bm-cluster-demo

======

…
I1017 13:58:26.377951 2058 validate.go:125] Validating Cluster.Authentication authentication:
I1017 13:58:26.378102 2058 file_check.go:19] [Runtime Check] Start Check for file --gcrKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-gcr.json.
I1017 13:58:26.403708 2058 file_check.go:23] [Runtime Check] End Check for file --gcrKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-gcr.json.
I1017 13:58:26.403792 2058 file_check.go:19] [Runtime Check] Start Check for file --gkeConnectAgentServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-connect.json.
I1017 13:58:26.403847 2058 file_check.go:23] [Runtime Check] End Check for file --gkeConnectAgentServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-connect.json.
I1017 13:58:26.403865 2058 file_check.go:19] [Runtime Check] Start Check for file --gkeConnectRegisterServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-register.json.
I1017 13:58:26.403890 2058 file_check.go:23] [Runtime Check] End Check for file --gkeConnectRegisterServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-register.json.
I1017 13:58:26.403921 2058 file_check.go:19] [Runtime Check] Start Check for file --cloudOperationsServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-cloud-ops.json.
I1017 13:58:26.403946 2058 file_check.go:23] [Runtime Check] End Check for file --cloudOperationsServiceAccountKeyPath=bmctl-workspace/.sa-keys/anthos-151023-anthos-baremetal-cloud-ops.json.
…
I1017 13:58:27.852739 2058 service_account.go:68] [Runtime Check] Start: Check for service account projects/anthos-151023/serviceAccounts/anthos-baremetal-register@anthos-151023.iam.gserviceaccount.com
I1017 13:58:29.365819 2058 service_account.go:68] [Runtime Check] Start: Check for service account projects/anthos-151023/serviceAccounts/anthos-baremetal-cloud-ops@anthos-151023.iam.gserviceaccount.com
…
E1017 13:58:32.894997 2058 create_cluster.go:134] “msg”=“Failed to bootstrap.” “error”=“create kind cluster failed: error validating cluster config: 2 errors occurred:\n\t* GKERegister check failed: 1 error occurred:\n\t* googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.\nDetails:\n[\n {\n "@type": "type.googleapis.com/google.rpc.Help",\n "links": [\n {\n "description": "Google developer console IAM admin",\n "url": "[https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\](https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\)”\n }\n ]\n },\n {\n "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n "domain": "googleapis.com",\n "metadata": {\n "consumer": "projects/anthos-151023",\n "service": "cloudresourcemanager.googleapis.com"\n },\n "reason": "USER_PROJECT_DENIED"\n }\n]\n, forbidden\n\n\n\t* ClusterOperations check failed: googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.\nDetails:\n[\n {\n "@type": "type.googleapis.com/google.rpc.Help",\n "links": [\n {\n "description": "Google developer console IAM admin",\n "url": "[https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\](https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023\)“\n }\n ]\n },\n {\n "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n "domain": "googleapis.com",\n "metadata": {\n "consumer": "projects/anthos-151023",\n "service": "cloudresourcemanager.googleapis.com"\n },\n "reason": "USER_PROJECT_DENIED"\n }\n]\n, forbidden\n\n”
E1017 13:58:32.922975 2058 console.go:110] exit with error
E1017 13:58:32.923057 2058 console.go:110] Error creating cluster: create kind cluster failed: error validating cluster config: 2 errors occurred:

• GKERegister check failed: 1 error occurred:

• googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.
  Details:
  [
  {
  “@type”: “type.googleapis.com/google.rpc.Help”,
  “links”: [
  {
  “description”: “Google developer console IAM admin”,
  “url”: “https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023”
  }
  ]
  },
  {
  “@type”: “type.googleapis.com/google.rpc.ErrorInfo”,
  “domain”: “googleapis.com”,
  “metadata”: {
  “consumer”: “projects/anthos-151023”,
  “service”: “cloudresourcemanager.googleapis.com”
  },
  “reason”: “USER_PROJECT_DENIED”
  }
  ]
  , forbidden

• ClusterOperations check failed: googleapi: Error 403: Caller does not have required permission to use project anthos-151023. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023 and then retry. Propagation of the new permission may take a few minutes.
  Details:
  [
  {
  “@type”: “type.googleapis.com/google.rpc.Help”,
  “links”: [
  {
  “description”: “Google developer console IAM admin”,
  “url”: “https://console.developers.google.com/iam-admin/iam/project?project=anthos-151023”
  }
  ]
  },
  {
  “@type”: “type.googleapis.com/google.rpc.ErrorInfo”,
  “domain”: “googleapis.com”,
  “metadata”: {
  “consumer”: “projects/anthos-151023”,
  “service”: “cloudresourcemanager.googleapis.com”
  },
  “reason”: “USER_PROJECT_DENIED”
  }
  ]
  , forbidden

Hi @madhu_yadav ,

Welcome to the Google Cloud Community!

In your post, you mentioned that:

Have you added the roles with the serviceusage.serviceUsageConsumer or serviceusage.services.use permissions to the service accounts? Please attach a screenshot of this (blur out any personal details).

You can attach roles to a service account and to a user, but if you are missing a role, you may be denied access to the service.

If both the user and service accounts have the necessary permissions, this might be an issue with Workload Identity.

If the above options don’t work, you can contact Google Cloud Support to further look into your case. Thank you!

Best,
Lawrence

Works fine after adding ‘Service Consumer Usage’ role to 3 of the service accounts as in attached screenshot

madhuyadav_0-1697809162631.png1440×404 44.9 KB

There was another issue when the config was being created from a vm instance. Had to do the login as below from the admin workstation vm

gcloud auth login user@domain.com
gcloud auth application-default login

PS: Thanks to the author of https://cloudsolutions.academy/how-to/anthos-in-a-nutshell/anthos-clusters-on-bare-metal/installing-anthos-clusters-on-bare-metal/install-software-on-workstation-machine/