Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PermissionDenied after VM migration across GCP Projects #258

Open
larsen161 opened this issue Nov 15, 2020 · 1 comment
Open

PermissionDenied after VM migration across GCP Projects #258

larsen161 opened this issue Nov 15, 2020 · 1 comment

Comments

@larsen161
Copy link

larsen161 commented Nov 15, 2020
edited
Loading

After migrating a debian vm from one GCP project to another via snapshots I have been unable to get the osconfig agent working. I was not able to find documentation as to where I can change the service account that is being used for the osconfig agent. I attempted to place a new application_default_credentials.json file that is tied to the new GCP Project, in /etc/google/auth/ but that did not resolve the issue.

steve@gam:~:$ sudo systemctl status google-osconfig-agent
● google-osconfig-agent.service - Google OSConfig Agent
   Loaded: loaded (/lib/systemd/system/google-osconfig-agent.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-11-15 05:15:43 UTC; 33min ago
 Main PID: 777 (google_osconfig)
    Tasks: 8 (limit: 4381)
   Memory: 131.2M
   CGroup: /system.slice/google-osconfig-agent.service
           └─777 /usr/bin/google_osconfig_agent

Nov 15 05:15:43 gam systemd[1]: Started Google OSConfig Agent.
Nov 15 05:15:46 gam OSConfigAgent[777]: 2020-11-15T05:15:46.3911Z OSConfigAgent Info: OSConfig Agent (version 20201109.00-g1) started.
Nov 15 05:15:48 gam google_osconfig_agent[777]: 2020/11/15 05:15:48 logging client: rpc error: code = PermissionDenied desc = The caller does not have permission
Nov 15 05:45:49 gam OSConfigAgent[777]: 2020-11-15T05:45:49.3323Z OSConfigAgent Error inventory.go:57: packages.GetPackageUpdates() error: error getting apt updates: er
Nov 15 05:45:50 gam google_osconfig_agent[777]: 2020/11/15 05:45:50 logging client: rpc error: code = PermissionDenied desc = The caller does not have permission
@adjackura
Copy link
Contributor

adjackura commented Nov 17, 2020
edited
Loading

The agent does not use oauth for connecting to the osconfig api at all. It uses the Instance Identity Token grabbed from the metadata server, this token does require a service account associated with the instance but no additional scopes. The errors you have there are mainly from the log writer, this library uses the service account set in metadata, these log writes do require the instance to have the log write scope set for the instance and that service account to have the correct permissions in the project that the logs are being written to. The log errors should not impact any other agent actions though.

https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature

ilc-fg pushed a commit to ilc-fg/osconfig that referenced this issue Oct 3, 2023
@dorileo
guest-agent: prepare for public release (GoogleCloudPlatform#258)
3db23ea 
Disabled features(built out):
  - mTLS & osLogin byoid cert handling.

New features:
  - Telemetry.

Fixes:
  - snapshot service handling resource leaking.
ilc-fg pushed a commit to ilc-fg/osconfig that referenced this issue Oct 3, 2023
@dorileo
Revert "guest-agent: prepare for public release (GoogleCloudPlatform#258
d83e87f 
)" (GoogleCloudPlatform#259)

This reverts commit 3db23ea.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@larsen161 @adjackura