Hi,
We are deploying a Anthos cluster on baremetal and preflight check was failed with below errors.
--------------------------------------------------------------------------------------------------------------------
cluster config: 2 errors occurred:
* GKERegister check failed: 2 errors occurred:
* operation failed with code 403 and status 'PERMISSION_DENIED': Permission denied on resource project kv-gpsc-juno-lab-dev.
* Missing required permissions gkehub.memberships.delete, gkehub.memberships.update, gkehub.memberships.get, gkehub.memberships.list, gkehub.memberships.create for service account projects/kv-gpsc-juno-lab-dev/serviceAccounts/anthos-baremetal-register@kv-gpse-juno-lab-dev.iam.gserviceaccount.com
* ClusterOperations check failed: invalid ClusterOperations location: please set the GOOGLE_APPLICATION_CREDENTIALS environment variable, or run 'gcloud auth application-default login'. For more information, please refer to this documentation: https://cloud.google.com/docs/authentication/application-default-credentials#search_order: googleapi: Error 404: The resource 'projects/kv-gpsc-juno-lab-dev' was not found, notFound
------------------------------------------------------------------------------------------------------------------------------
Missing permission as mentioned in the error message, for example "gkehub.memberships.delete" are already available. We have referred below URL and created four service account (gcr, connect, register and cloud-ops). Please suggest a fix for this issue.
https://cloud.google.com/anthos/clusters/docs/bare-metal/1.16/installing/configure-sa
Hello @prasantaD ,
Here are the steps you can try to resolve the error "GKERegister check failed: 2 errors occurred":
1. Grant Required Permissions:
Access the IAM console: Navigate to the Google Cloud Platform console and select IAM & Admin > IAM.
Find the service account: Locate the service account anthos-baremetal-register@kv-gpse-juno-lab-dev.iam.gserviceaccount.com in the list.
Add permissions: Click on the service account and go to the Permissions tab.
Grant the necessary permissions: Add the following permissions to the service account:
gkehub.memberships.delete
gkehub.memberships.update
gkehub.memberships.get
gkehub.memberships.list
gkehub.memberships.create
2. Verify Project Permissions:
Check project access: Ensure that the user or service account running the GKERegister command has the appropriate permissions to access the project kv-gpsc-juno-lab-dev.
Grant project-level permissions: If necessary, grant the required project-level permissions to the user or service account.
3. Recheck Registration:
Retry command: Once you have granted the required permissions, retry the GKERegister command.
Double-check permissions: Ensure that the permissions are granted correctly and have propagated.
Consider access scopes: Verify that the service account has the necessary access scopes to perform the required actions.
Review error logs: Examine any available error logs for more detailed information about the cause of the errors.
I hope this comprehensive tips will helps you successfully resolve the GKERegister error.
Hi
Thanks for your suggestion. I have created/granted all the permissions you mentioned in the step#1, but still getting same error.
Can please elaborate about step#2. I am not sure about what are the project level permissions need to be granted.
I have created four service account as mentioned in below url and used my user account to perform "gcloud auth application-default login".
https://cloud.google.com/anthos/clusters/docs/bare-metal/1.16/installing/configure-sa
Service accounts are
---------------------------------------------------------------------------------------------------
gcrKeyPath: /root/baremetal/gcr-kv-key.json
gkeConnectAgentServiceAccountKeyPath: /root/baremetal/connect-agent.json
gkeConnectRegisterServiceAccountKeyPath: /root/baremetal/connect-register.json
cloudOperationsServiceAccountKeyPath: /root/baremetal/cloud-ops.json
---------------------------------------------------------------------------------------------------------