Hi,
We are deploying a Anthos cluster on baremetal and preflight check was failed with below errors.
cluster config: 2 errors occurred:
-
GKERegister check failed: 2 errors occurred:
-
operation failed with code 403 and status ‘PERMISSION_DENIED’: Permission denied on resource project kv-gpsc-juno-lab-dev.
-
Missing required permissions gkehub.memberships.delete, gkehub.memberships.update, gkehub.memberships.get, gkehub.memberships.list, gkehub.memberships.create for service account projects/kv-gpsc-juno-lab-dev/serviceAccounts/anthos-baremetal-register@kv-gpse-juno-lab-dev.iam.gserviceaccount.com
-
ClusterOperations check failed: invalid ClusterOperations location: please set the GOOGLE_APPLICATION_CREDENTIALS environment variable, or run ‘gcloud auth application-default login’. For more information, please refer to this documentation: https://cloud.google.com/docs/authentication/application-default-credentials#search_order: googleapi: Error 404: The resource ‘projects/kv-gpsc-juno-lab-dev’ was not found, notFound
Missing permission as mentioned in the error message, for example “gkehub.memberships.delete” are already available. We have referred below URL and created four service account (gcr, connect, register and cloud-ops). Please suggest a fix for this issue.
https://cloud.google.com/anthos/clusters/docs/bare-metal/1.16/installing/configure-sa
1 Like
Hello @prasantaD ,
Here are the steps you can try to resolve the error “GKERegister check failed: 2 errors occurred”:
- Grant Required Permissions:
Access the IAM console: Navigate to the Google Cloud Platform console and select IAM & Admin > IAM.
Find the service account: Locate the service account anthos-baremetal-register@kv-gpse-juno-lab-dev.iam.gserviceaccount.com in the list.
Add permissions: Click on the service account and go to the Permissions tab.
Grant the necessary permissions: Add the following permissions to the service account:
gkehub.memberships.delete
gkehub.memberships.update
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.create
- Verify Project Permissions:
Check project access: Ensure that the user or service account running the GKERegister command has the appropriate permissions to access the project kv-gpsc-juno-lab-dev.
Grant project-level permissions: If necessary, grant the required project-level permissions to the user or service account.
3. Recheck Registration:
Retry command: Once you have granted the required permissions, retry the GKERegister command.
Double-check permissions: Ensure that the permissions are granted correctly and have propagated.
Consider access scopes: Verify that the service account has the necessary access scopes to perform the required actions.
Review error logs: Examine any available error logs for more detailed information about the cause of the errors.
I hope this comprehensive tips will helps you successfully resolve the GKERegister error.
Hi
Thanks for your suggestion. I have created/granted all the permissions you mentioned in the step#1, but still getting same error.
Can please elaborate about step#2. I am not sure about what are the project level permissions need to be granted.
I have created four service account as mentioned in below url and used my user account to perform “gcloud auth application-default login”.
https://cloud.google.com/anthos/clusters/docs/bare-metal/1.16/installing/configure-sa
Service accounts are
gcrKeyPath: /root/baremetal/gcr-kv-key.json
gkeConnectAgentServiceAccountKeyPath: /root/baremetal/connect-agent.json
gkeConnectRegisterServiceAccountKeyPath: /root/baremetal/connect-register.json
cloudOperationsServiceAccountKeyPath: /root/baremetal/cloud-ops.json