Scope Error when trying to attach gke cluster

Fredox

Hello Dataikers, i m trying to attach a gke cluster with a service account. on my dss server gcloud command works fine and i m able to deploy a k8S cluster.

On dds gui, i m facing a kind ok right issue with api (i think)

I m getting this error

Failed to start cluster : <class 'googleapiclient.errors.HttpError'> : {'www-authenticate': 'Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/cloud-platform"', 'vary': 'Origin, X-Origin, Referer', 'content-type': 'application/json; charset=UTF-8', 'date': 'Thu, 12 Dec 2024 22:20:05 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORIGIN', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'status': '403', 'content-length': '477', '-content-encoding': 'gzip'}

My research fount roles/cloud-platform to be added to my service account → strange

Are you able to help me,

Best regards

Operating system used: ubuntu 22.04 minimal

Turribeach

What you need to make sure is that the Linux account that Dataiku uses to run its services has logged into gcloud and has full permissions/scope on the GKE cluster. This is noted in the Dataiku GKE documentation. So before you do anything on the Dataiku GUI you should sudo into the account that Dataiku uses to run its services and make sure you have enabled the GKE cluster and can connect to it. For instance all the following commands should work and return information:

kubectl config current-context
kubectl cluster-info
kubectl get svc
kubectl get nodes

Fredox

Hello Turribeach,

Thanks for helping me. All of your commands are working fine.

You mean that adding my account to sud group should help ?

Turribeach

Can you confirm the commands run fine under the same account that the dss services in your Linux box? It's not your account that needs these commands working. It's the Dataiku account. What's the name of the account that runs DSS services in your box?

Fredox

the name of the account that runs dssuser.

I start dss as service, so check with ps -awx and grep for dss.

And also cat on the dataiku.service :

[Unit]

Description=Dataiku instance at /mnt/dataiku/dss_data

After=network-online.target nss-lookup.target

Wants=network-online.target

[Service]

Type=forking

TimeoutStartSec=infinity

TimeoutStopSec=15min

User=dssuser

ExecStartPre=!/etc/dataiku/c25GZdkE07c7K2MyI7RtMYik/dataiku-boot init

ExecStart=/etc/dataiku/c25GZdkE07c7K2MyI7RtMYik/dataiku-boot start

ExecStop=/etc/dataiku/c25GZdkE07c7K2MyI7RtMYik/dataiku-boot stop

It shows me that dssuser is the user on the service.

On my server i sudo my dssuser and check all your commands.

So if the service is started by my user dssuser and the commands works fine, it should works …. :(

Or maybe i missed something ?

Fredox

this is the latest error, no more scope error since dssuser is member of sudo group

File "/mnt/dataiku/dss_data/code-envs/python/plugin_gke-clusters_managed_1/lib/python3.10/site-packages/googleapiclient/_helpers.py", 
line 130, in positional_wrapper    return wrapped(*args, **kwargs)  File "/mnt/dataiku/dss_data/code-envs/python/plugin_gke-clusters_managed_1/lib/python3.10/site-packages/googleapiclient/http.py", 
line 938, in execute    raise HttpError(resp, content, uri=self.uri)googleapiclient.errors.HttpError: <HttpError 403 when requesting https://container.googleapis.com/v1/projects/frederic-17586/zones/europe-central2-a/clusters/dss-gke-cluster4?alt=json returned "Permission denied on resource project frederic-17586.". 
Details: "[{'@type': 'type.googleapis.com/google.rpc.ErrorInfo', 'reason': 'CONSUMER_INVALID', 'domain': 'googleapis.com', 'metadata': {'consumer': 'projects/frederic-17586', 'containerInfo': 'frederic-17586', 'service': 'container.googleapis.com'}}, {'@type': 'type.googleapis.com/google.rpc.LocalizedMessage', 'locale': 'en-US', 'message': 'Permission denied on resource project frederic-17586.'}, {'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developers console', 'url': 'https://console.developers.google.com'}]}]">[2024-12-13 13:42:41,390] 
[199243/MainThread] [INFO] [dataiku.base.socket_block_link] Client closed