Error: googleapi: Error 400: Composer API Service Agent service account (service-project##cloudcomposer-accounts.iam.gserviceaccount.com) does not have required permissions set. Cloud Composer API Service Agent role is missing. Please bind roles/composer.serviceAgent back on service-project#
I am deploying composer cluster. Both roles "roles/composer.serviceAgent" and "roles/composer.ServiceAgentV2Ext" were given. Maybe you guys had better luck with this error ?
Related
There is an implementation where API-1 is calling another API-2, Both are deployed in same WSO2 docker container 6.4.0.
Internal API Call is not working, Got below ERROR in logs.
Unable to sendViaPost to url[https://integ.company.com/wso2/api/queue_service]
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
In the background, There is some SSL Certificate renewal activity happened at HA Proxy level, Post this we started to get above ERROR.
Can I get some suggestion to resolve this ERROR?
Try importing the certificate used for 'https://integ.company.com/wso2/api/queue_service' to WSO2 servers client-trustore. If that doesn't resolve the issue add the full Stacktrace of the exception.
I am deploying a docker image from ACR to windows based App Service using Azure DevOps release pipeline (with Azure Web App on Container Deploy task). But getting the error as
"Error: Failed to patch App Service '[App Service Name]' configuration. Error: BadRequest - The parameter DOCKER_REGISTRY_SERVER_URL has an invalid value. Unexpected error when connecting to the registry. Cannot find available registry. https://[ACR Name].azurecr.io (CODE: 400) Error: Failed to update deployment history. Error: Ip Forbidden (CODE: 403)"
Both App Service and ACR are using private endpoint. We are using self hosted agent for our pipeline.
Please let me know how to fix this issue.
Here is a trouble shooting advice:
Please check the value of DOCKER_REGISTRY_SERVER_URL in your ARM template or config file.
What's more, if you are using ARM template, try to add "reserved": true to your properties.
We have setup harbor(v2.2.1) on AWS ECS.
We are able to login into Harbor portal with default admin/Harbor12345 credentials.
However when we try to login to harbor from docker using below command, we are getting "Error response from daemon: login attempt to https://harbor.company.com/v2/ failed with status: 401 Unauthorized".
Command: docker login https://harbor.company.com
When we check the harbor core logs, it says that "failed to authenticate harbor_registry_user: Failed to authenticate user, due to error 'Invalid credentials'"
Note: We have changed below harbor service URL's to our company specific URL's. (eg: https://harbor-jobservice.company.com)
(core, registry, jobservice, registryctl, portal, trivy-adapter)
We are using AWS RDS and AWS Redis.
We can even see the Trivy-Adapter health check as Passed on Harbor Portal. (meaning harbor services are able to communicate internally.)
When trying to deploy my container (or the hello world container) to google cloud run I receive this error:
ERROR: (gcloud.run.deploy) Cloud Run error: Internal system error. Missing necessary permission for service-<ID>#serverless-robot-prod.iam.gserviceaccount.com on resource <PROJECT ID>
I can see that the service account mentioned in the error is in my IAM dashboard and has the Google Cloud Run Service Agent role. I even tried giving it the Owner role, but it didn't work.
I tried including the --service-account flag with the same service account and receive this error:
PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account service-<ID>#serverless-robot-prod.iam.gserviceaccount.com (or it may not exist).
Which I know doesn't make sense.
I also tried this deploy through the console ui, but received the same error (the first one).
How do I fix this permission error?
I order to assign the iam.serviceAccounts.actAs permission you have to set the roles/iam.serviceAccountUser role.
You can do this by going to the Console > IAM & Admin and setting the Service Account User role to your service account.
Also, confirm that the Cloud Run runtime service account also has the iam.serviceAccounts.actAs permission. This is a requirement specified in the Cloud Run deployment permissions docs
As Dustin mentioned, there was an outage affecting IAM permissions. Now that the outage has been resolved, my deployment is working!
I built my container image and then deployed to Cloud Run using the Cloud Console. However, when I open the endpoint URL of my service, I get a 403 "Error: Forbidden" page
If you receive a 403 "Error: Forbidden" error message when accessing your Cloud Run service, it means that your client is not authorized to invoke this service. You can address this by taking one of the following actions:
If the service is meant to be invocable by anyone, update its IAM settings to make the service public.
If the service is meant to be invocable only by certain identities, make sure that you invoke it with the proper authorization token.
I have used IAP to resolve this issue. If there is a use case where only authenticated users must be able to access the application then use IAP
Accessing Authenticated Cloud Run applications using IAP