1

I receive an error message while attempting to deploy anything from the marketplace into a specific GCP project.

You must have a valid default service account in order to create a deployment, but this account could not be detected. Contact support for help restoring the account.

Things I've Tried:

  • Every VM from the marketplace shows the same error message
  • I can deploy regular VM instance
  • I can see there is an enabled service account for the project with the name "Compute Engine default service account".
  • I am able to deploy VM's from the marketplace into other projects under the same organization
  • I've contacted GCP Billing support and they cannot find anything wrong from a billing perspective

Researching online shows that others that have had this issue have just rebuilt the project. It appears that service account is created by default when the project is spun up.

I'm hoping there is another way around it as this project is a host for a shared VPC deployment. There are already other projects with deployed VM's that are utilizing the host projects networks.

Thank you!

Justin
  • 11
  • 4
  • Possibly relevant to this question: https://stackoverflow.com/questions/36908749/deleted-compute-engine-default-service-account. Alternatively, you can follow the suggestion in the error and contact support. – robsiemb Nov 01 '19 at 13:38
  • @robsiemb - that link is a very different type of error. I agree with you he needs to contact Google Cloud Support. – John Hanley Nov 01 '19 at 13:47
  • Stackoverflow cannot help you with account problems. You will need to contact Google Cloud Support. This means you will need a paid support agreement. – John Hanley Nov 01 '19 at 13:49
  • @JohnHanley if the questioner accidentally deleted their default service account, the answers there might allow them to recover it. – robsiemb Nov 01 '19 at 13:52
  • 1
    @robsiemb - It depends on which service account they deleted. Some service accounts cannot be recreated by users and require Google Cloud Support. Some service accounts can be automatically recreated by first disabling the service and then re-enabling the service. His problem is most likely a missing "Compute Engine Default Service Account". I don't remember if this is a special one that requires Google Cloud Support to recreate. – John Hanley Nov 01 '19 at 16:32
  • Read my previous comment. If your problem is a missing Compute Engine Default Service Account, you might be able to recreate it by first disabling the Compute service. However, if you have other compute services running, this is not possible without first deleting all compute services. This is why Google Cloud Support is required. – John Hanley Nov 01 '19 at 16:33

2 Answers2

0

Looks like you deleted a default service account.

As mentioned in one comment some can be recreated by disable/enable the corresponding API

Below are the default service accounts I have in my project, hope it helps you to find the root cause. (these service accounts let me deploy a wordpress solution depending on what you are trying to deploy you might need more service accounts)

  • PROJECT-NUMBER-compute@developer.gserviceaccount.com Compute Engine
    default service account

  • PROJECT-NUMBER@cloudservices.gserviceaccount.com Google APIs Service Agent

  • PROJECT-ID@appspot.gserviceaccount.com App Engine default service
    account

  • service-ORG-ID3@gcp-sa-cloudasset.iam.gserviceaccount.com Cloud Asset Service Agent

  • service-PROJECT-NUMBER@cloud-ml.google.com.iam.gserviceaccount.com Google Cloud ML Engine Service Agent
  • service-PROJECT-NUMBER@compute-system.iam.gserviceaccount.com Compute Engine Service Agent
  • service-PROJECT-NUMBER@container-engine-robot.iam.gserviceaccount.com Kubernetes Engine Service Agent
  • service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com Google Container Registry Service Agent
  • service-PROJECT-NUMBER@dataflow-service-producer-prod.iam.gserviceaccount.com Cloud Dataflow Service Account
  • service-PROJECT-NUMBER@service-networking.iam.gserviceaccount.com Service Networking Service Agent
Ernesto U
  • 786
  • 3
  • 14
0

The service account was intact and had the same permissions as other service accounts for working projects.

We purchased and opened a case with GCP technical support. After a little more than a week of them troubleshooting the issues, they determined there was no way to correct the problem. Their root cause was that something happened during the initial project deployment that caused some backend configuration issues. For what its worth, the project was deployed using Terraform, but its uncertain if that was a factor.

After recreating the host project, we were able to deploy from the marketplace again successfully.

If you run into this problem, save yourself the hassle and time and just recreate the project.

Justin
  • 11
  • 4