Troubleshoot service accounts in GKE


This page shows you how to troubleshoot issues with Google Kubernetes Engine (GKE) service accounts.

Restore the default service account to your Google Cloud project

GKE's default service account, container-engine-robot, can accidentally become unbound from a project. The Kubernetes Engine Service Agent role (roles/container.serviceAgent) is an Identity and Access Management (IAM) role that grants the service account the permissions to manage cluster resources. If you remove this role binding from the service account, the default service account becomes unbound from the project, which can prevent you from deploying applications and performing other cluster operations.

To see if the service account is removed from your project, you can use the Google Cloud console or Google Cloud CLI.

Console

gcloud

  • Run the following command:

    gcloud projects get-iam-policy PROJECT_ID
    

    Replace PROJECT_ID with your project ID.

If the dashboard or the command doesn't display container-engine-robot among your service accounts, the role is unbound.

To restore the Kubernetes Engine Service Agent role (roles/container.serviceAgent) binding, run the following commands:

PROJECT_NUMBER=$(gcloud projects describe "PROJECT_ID" \
    --format 'get(projectNumber)') \
gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:service-${PROJECT_NUMBER?}@container-engine-robot.iam.gserviceaccount.com" \
    --role roles/container.serviceAgent

Confirm that the role binding is restored:

gcloud projects get-iam-policy $PROJECT_ID

If you see the service account name along with the container.serviceAgent role, the role binding is restored. For example:

- members:
  - serviceAccount:service-1234567890@container-engine-robot.iam.gserviceaccount.com
  role: roles/container.serviceAgent

Enable the Compute Engine default service account

The service account used for the node pool is usually the Compute Engine default service account. If this default service account is deactivated, your nodes might fail to register with the cluster.

To see if the service account is deactivated in your project, you can use the Google Cloud console or gcloud CLI.

Console

gcloud

  • Run the following command:
gcloud iam service-accounts list  --filter="NAME~'compute' AND disabled=true"

If the service account is deactivated, run the following command to enable the service account:

gcloud iam service-accounts enable PROJECT_ID-compute@developer.gserviceaccount.com

Replace PROJECT_ID with your project ID.

For more information, see Troubleshoot node registration.

Error 400/403: Missing edit permissions on account

If your service account is deleted, you might see a missing edit permissions error. To learn how to troubleshoot this error, see Error 400/403: Missing edit permissions on account.

What's next

If you need additional assistance, reach out to Cloud Customer Care.