2

When trying to delete my cloud composer environment it gets stuck complaining about insufficient permissions. I have deleted the storage bucket, GKE cluster and the deployment according to this post: Cannot delete Cloud Composer environment

And the service account is the standard compute SA.

DELETE operation on this environment failed 33 minutes ago with the following error message:
Could not configure workload identity: Permission iam.serviceAccounts.getIamPolicy is required to perform this operation on service account projects/-/serviceAccounts/"project-id"-compute@developer.gserviceaccount.com.

Even though I made the compute account a project owner and IAM Security Admin temporarily it does not work. And I've tried to delete it through the GUI, gcloud CLI and terraform without success. Any advice or things to try out will be appreciated :)

hakre
  • 193,403
  • 52
  • 435
  • 836
John
  • 31
  • 3

2 Answers2

1

I got help from the google support, and instead of adressing the SA projects/-/serviceAccounts/"project-id"-compute@developer.gserviceaccount.com.

It was apparently the default service agent that has the format of service-"project-nr"@cloudcomposer-accounts.iam.gserviceaccount.com with the Cloud Composer v2 API Service Agent Extension

Thank you for the kind replies!

John
  • 31
  • 3
0

The issue iam.serviceAccounts.getIamPolicy, seems to be more related to the credentials, that your server is having issues retrieving credentials data.

You should set up your path credentials variable again:

export GOOGLE_APPLICATION_CREDENTIALS=fullpath.json

Also there another options where you can try to run:

gcloud auth activate-service-account

Also you can add it to your script:

provider "google" {
  credentials = file(var.service_account_file_path)
  project     = var.project_id
}

Don't forget that you need to have the correct roles to delete the composer.

For more details about it you can check:

https://cloud.google.com/composer/docs/delete-environments#gcloud

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment

https://cloud.google.com/composer/docs/how-to/access-control?hl=es_419

Chaotic Pechan
  • 866
  • 8
  • 18