gcloud compute ssh fails - ssh

I'm using Windows Server 2008.
on issuing gcloud compute ssh instance-1 --zone us-central1-a
I receive the error:
ERROR: (gcloud.compute.ssh) Could not fetch instance:
- Invalid value 'EFOnline'. Values must match the following regular expression: '(?:(?:[-a-z0-9]{1,63}\.)*(?:[a-z](?:[-
a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?))'
To be clear, I did do a gcloud auth login and received a successful 'you are now authenticated'
My project Name is EFOnline
my instance name is : instance-1 us-central1-a (cut and paste there)
So why the weird regex error??
Thanks

Google Cloud projects have both a name and an id.
Your project ID is the string that uniquely identifies your project to Google. Project IDs show up in URI paths to cloud resources, and have to be "good" strings to put in URIs. You can find the project id for your project at the "Overview" in http://console.developers.google.com/ page.
The project name is a human-readable string that can, for example, contain spaces and some special characters.
GCloud (and most of the GCP tooling) uses project ID.
So... please try the following: Look up your project id here: http://console.developers.google.com/ then run
$ gcloud config set project <id>
$ gcloud compute ssh instance-1 --zone us-central1-a
Also, we're working on fixing the error message.

Also, if you have more google cloud accounts or you are not logged in, you need first to authenticate with google cloud:
gcloud auth login
after that, copy given link, login with wanted account and you will be able to SSH to google cloud console with gcloud command.

Additionally, one can log into their developer console, open up your VM instance and click on the SSH widget at the top of the page, selecting View Gcloud Command. This will generate your specific string for terminal.
gcloud compute --project "project_name" ssh --zone "us-central1-a" "vm_instance_name"

Related

How to create a service networking creation from a gcp project to "default" network

I wanted to use the gcloud cli to create an sql instance that is accessible on the default network. So I tried this:
gcloud beta sql instances create instance1 \
--network projects/peak-freedom-xxxxx/global/networks/default
And I get the error
ERROR: (gcloud.beta.sql.instances.create) [INTERNAL_ERROR] Failed to create subnetwork.
Please create Service Networking connection with service 'servicenetworking.googleapis.com'
from consumer project '56xxxxxxxxx' network 'default' again.
When you go to the console to create it, you can check Private IP you can see this:
And there's an "Allocate and connect" button. So I'm guessing that's what I need to do. But I can't figure out how to do that with the gcloud cli.
Can anyone help?
EDIT 1:
I've tried setting the --network to https://www.googleapis.com/compute/alpha/projects/testing-project-xxx/global/networks/default
Which resulted in
ERROR: (gcloud.beta.sql.instances.create) [INTERNAL_ERROR] Failed to
create subnetwork. Set Service Networking service account as
servicenetworking.serviceAgent role on consumer project
Then I tried recreating a completely new project and enabling the Service Networking API like so:
gcloud --project testing-project-xxx \
services enable \
servicenetworking.googleapis.com
And then creating the DB resulted in the same error. So I tried to manually add the servicenetworking.serviceAgent role and ran:
gcloud projects add-iam-policy-binding testing-project-xxx \
--member=serviceAccount:service-PROJECTNUMBER#service-networking.iam.gserviceaccount.com \
--role=roles/servicenetworking.serviceAgent
This succeeded with
Updated IAM policy for project [testing-project-xxx].
bindings:
- members:
- user:email#gmail.com
role: roles/owner
- members:
- serviceAccount:service-OJECTNUMBERRP#service-networking.iam.gserviceaccount.com
role: roles/servicenetworking.serviceAgent
etag: XxXxXX37XX0=
version: 1
But creating the DB failed with the same error. For reference, this is the command line I'm using to create the DB:
gcloud --project testing-project-xxx \
beta sql instances create instanceName \
--network=https://www.googleapis.com/compute/alpha/projects/testing-project-xxx/global/networks/default \
--database-version POSTGRES_11 \
--zone europe-north1-a \
--tier db-g1-small
the network name of form "projects/peak-freedom-xxxxx/global/networks/default" is for creating SQL instances under shared VPC network. if you want to create an instance in a normal VPC network you should use:
gcloud --project=[PROJECT_ID] beta sql instances create [INSTANCE_ID]
--network=[VPC_NETWORK_NAME]
--no-assign-ip
where [VPC_NETWORK_NAME] is of the form https://www.googleapis.com/compute/alpha/projects/[PROJECT_ID]/global/networks/[VPC_NETWORK_NAME]
for more information check here.
Note: you need to configure private service access for this and it's one time action only. follow instructions here to do so.

gcloud compute ssh requires password even after using json key file for authentication

I am trying to authenticate gcloud using json key and even doing everything as per docs it requires for password when I run gcloud compute ssh root#production
Here is snapshot of steps I performed.
1. Authorizing access to Google Cloud Platform with a service account
tahir#NX00510:~/www/helloworld$ gcloud auth activate-service-account 1055703200677-compute#developer.gserviceaccount.com --key-file=gcloud_key.json
Activated service account credentials for: [1055703200677-compute#developer.gserviceaccount.com]
2. Initializing the gcloud
tahir#NX00510:~/www/helloworld$ gcloud init
Welcome! This command will take you through the configuration of gcloud.
Settings from your current configuration [default] are:
compute:
region: us-central1
zone: us-central1-b
core:
account: 1055703200677-compute#developer.gserviceaccount.com
disable_usage_reporting: 'True'
project: concise-hello-122320
Pick configuration to use:
[1] Re-initialize this configuration [default] with new settings
[2] Create a new configuration
Please enter your numeric choice: 1
Your current configuration has been set to: [default]
You can skip diagnostics next time by using the following flag:
gcloud init --skip-diagnostics
Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.
Reachability Check passed.
Network diagnostic passed (1/1 checks passed).
Choose the account you would like to use to perform operations for
this configuration:
[1] 1055703200677-compute#developer.gserviceaccount.com
[2] Log in with a new account
Please enter your numeric choice: 1
You are logged in as: [1055703200677-compute#developer.gserviceaccount.com].
API [cloudresourcemanager.googleapis.com] not enabled on project
[1055703200677]. Would you like to enable and retry (this will take a
few minutes)? (y/N)? N
WARNING: Listing available projects failed: PERMISSION_DENIED: Cloud Resource Manager API has not been used in project 1055703200677 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1055703200677 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
- '#type': type.googleapis.com/google.rpc.Help
links:
- description: Google developers console API activation
url: https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1055703200677
Enter project id you would like to use: concise-hello-122320
Your current project has been set to: [concise-hello-122320].
Do you want to configure a default Compute Region and Zone? (Y/n)? n
Your Google Cloud SDK is configured and ready to use!
* Commands that require authentication will use 1055703200677-compute#developer.gserviceaccount.com by default
* Commands will reference project `concise-hello-122320` by default
Run `gcloud help config` to learn how to change individual settings
This gcloud configuration is called [default]. You can create additional configurations if you work with multiple accounts and/or projects.
Run `gcloud topic configurations` to learn more.
Some things to try next:
* Run `gcloud --help` to see the Cloud Platform services you can interact with. And run `gcloud help COMMAND` to get help on any gcloud command.
* Run `gcloud topic --help` to learn about advanced features of the SDK like arg files and output formatting
3. SSHing to gcloud
tahir#NX00510:~/www/helloworld$ gcloud compute ssh root#production
No zone specified. Using zone [us-central1-b] for instance: [production].
root#compute.1487950061407628967's password:
I don't know which password should I enter here, also I believe it should not ask for password in the first place because I have used json key file for authentication.
Could you guys please help me out to fix this.
Thanks !

ERROR: (gcloud.compute.ssh) Could not fetch resource: - Insufficient Permission

I am having trouble working through the Compute Engine Quickstart: Build a to-do app with a MongoDB tutorial. (edit: I am running the tutorial from within the compute engine console; i.e. https://console.cloud.google.com/compute/instances?project=&tutorial=compute_quickstart)
I SSH into the backend instance. I enter the "gcloud compute" command as copied from the tutorial. I am prompted to enter a passphrase. The following is returned:
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
...
<< Identifying detail ommitted >>
...
**ERROR: (gcloud.compute.ssh) Could not fetch resource:
- Insufficient Permission**
I had run through this stage of the tutorial on a previous occasion with no problems.
I am working from a Windows 10 PC with the google-cloud-sdk installed. I am using google chrome. I have tried in both regular and incognito modes.
Any help or advice greatfully received!
DaveDub
It looks like the attempt to SSH is recognising the instance in your project, but the user doesn't have the required permissions to access the machine.
Have you tried running:
gcloud auth login
and completing the web-based authorization to ensure you are attempting to access the machine as the correct (authenticated) user? This process ensures the Cloud SDK you are running inherits the permissions of the user specified in the web-based authorisation. See here for more information on this.
It's also worth adding the link to the tutorial you are following to your question.
Besides the accepted answer, be sure you are in the correct gcloud project
gcloud projects list
Then
gcloud config set project <your-project>
I just ran into this for yet another reason. Google has always had poor handling of multi-user auth conflicts with their business products. Whatever you sign into a clean chrome session with 'first' gets a 'special', invisible role. I've noticed with gsuite that I get 'forced' into that first user when I try to access the admin panel, and the only way to escape is to make sure that whatever google user I use for the gsuite admin is 'first', or open an incognito window. I've seen this bug for years, can't believe it still exists.
Anyways, I ran into a similar issue. Somehow I was the wrong google user, so the link I got when copy/pasting out of 'connect with gcloud command' was implying wrong google user. Only noticed later when I just gave up and used the terminal that I was not my normal user... So, might look into that.

error opening a port in Google Compute Engine

I am trying to open a port via ssh in my VM instance in Google Compute engine but I keep getting error messages.
Here is my command:
myname#instance-2:~$ gcloud compute firewall-rules create baasbox-console-port --allow tcp:9000 --source-range
s=0.0.0.0/0
here is the error message:
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
ERROR: (gcloud.compute.firewall-rules.create) Some requests did not succeed:
- Insufficient Permission
pls what am i doing wrong?
gcloud auth login
Go to the following link in your browser:
(Cut and past the link into your browser address bar)
For me (Ubuntu 14.04) this does not return a verification code on FireFox, use Chromium. You should get a long string of characters as a verification code. Cut and past this into the terminal. I would then see this:
ERROR: There was a problem with web authentication.ERROR: (gcloud.auth.login) invalid_grant
After several tries of generating the code and pasting it, I copied the code and the trailing colon(:) then it worked
You need to do either of the following:
run gcloud auth login in your instance, or
when you create your VM, you need to give it read-write access to Google Cloud Platform APIs by adding the compute-rw scope as follows:
gcloud compute instances create $VM --scopes compute-rw [...]
See the gcloud compute instances create docs for more info.

How do I configure Google BigQuery command line tool to use a Service Account?

I've created a service account using the Google API Console and wish to use this service account with the Google BigQuery CLI (bq) tool.
I've been using the command line tool to successfully access the BigQuery service using my valid OAuth2 credentials in ~/.bigquery.v2.token, however I can't seem to find any documentation on how to modify this file (or otherwise configure the tool) to use a service account instead.
Here is my current .bigquery.v2.token file
{
"_module": "oauth2client.client",
"_class": "OAuth2Credentials",
"access_token": "--my-access-token--",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"invalid": false,
"client_id": "--my-client-id--.apps.googleusercontent.com",
"id_token": null,
"client_secret": "--my-client-secret--",
"token_expiry": "2012-11-06T15:57:12Z",
"refresh_token": "--my-refresh-token--",
"user_agent": "bq/2.0"
}
My other file: ~/.bigqueryrc generally looks like this:
project_id = --my-project-id--
credential_file = ~/.bigquery.v2.token
I've tried setting the credential_file paramater to the .p12 private key file for my service account but with no luck, it gives me back the following error
******************************************************************
** No OAuth2 credentials found, beginning authorization process **
******************************************************************
And asks me to go to a link in my browser to set up my OAuth2 credentials again.
The command line tools' initial configuration option "init":
bq help init
displays no helpful information about how to set up this tool to use a service account.
I ended up finding some documentation on how to set this up
$ bq --help
....
--service_account: Use this service account email address for authorization. For example, 1234567890#developer.gserviceaccount.com.
(default: '')
--service_account_credential_file: File to be used as a credential store for service accounts. Must be set if using a service account.
--service_account_private_key_file: Filename that contains the service account private key. Required if --service_account is specified.
(default: '')
--service_account_private_key_password: Password for private key. This password must match the password you set on the key when you created it in the Google APIs Console. Defaults to the default Google APIs Console private key password.
(default: 'notasecret')
....
You can either set these specifically on each bq (bigquery commandline client) request, ie:
$ bq --service_account --my-client-id--.apps.googleusercontent.com -- service_account_private_key_file ~/.bigquery.v2.p12 ... [command]
Or you can set up defaults in your ~/.bigqueryrc file like so
project_id = --my-project-id--
service_account = --my-client-id--#developer.gserviceaccount.com
service_account_credential_file = /home/james/.bigquery.v2.cred
service_account_private_key_file = /home/james/.bigquery.v2.p12
The service account can be found in the Google API Console, and you set up service_account_private_key_password when you created your service account (this defaults to "notasecret").
note: file paths in .bigqueryrc had to be the full path, I was unable to use ~/.bigquery...
Some additional dependencies were required, you will need to install openssl via yum/apt-get
--yum--
$ yum install openssl-devel libssl-devel
--or apt-get--
$ apt-get install libssl-dev
and pyopenssl via easy install/pip
--easy install--
$ easy_install pyopenssl
--or pip--
$ pip install pyopenssl
The bq authorization flags are now deprecated
bq documentation
1.) Tell gcloud to authenticate as your service account
gcloud auth activate-service-account \
test-service-account#google.com \
--key-file=/path/key.json \
--project=testproject
2.) Run a bq command as you would with your user account
# ex: bq query
bq query --use_legacy_sql=false 'SELECT CURRENT_DATE()'
3. optional) Revert gcloud authentication to your user account
gcloud config set account you#google.com
3a. optional) See who gcloud uses for authentication
gcloud auth list
The bq tool requires two configuration files, controlled by the --bigqueryrc and the --credential_file flag. If neither one is found, bq will attempt to automatically initialize during start up.
To avoid this for the --bigqueryrc file, you can place a ".bigqueryrc" file in the default location, or override it with --bigqueryrc to some writeable file path.
For anyone else who comes along struggling to use bq with a service account... I had a seriously hard time getting this to work inside of a CI/CD pipeline using the Google Cloud SDK docker images on gitlab-ci. Turns out the missing bit for me was making sure to set the default project. On my laptop gcloud was happy inferring the default project from the service account, but for some reason the version within the docker image was defaulting to a public free project.
- gcloud auth activate-service-account --key-file=${PATH_TO_SVC_ACCT_JSON};
- gcloud config set project ${GOOGLE_BIGQUERY_PROJECT}
after this I was able to use the bq utility as the service account. I imagine setting the default project in the .bigqueryrc file does the trick too, which is why the OP didn't run into this issue.