This page shows you how to troubleshoot issues with Google Kubernetes Engine (GKE) service accounts.
Restore the default service account to your Google Cloud project
GKE's default service account, container-engine-robot
, can
accidentally become unbound from a project. The
Kubernetes Engine Service Agent role
(roles/container.serviceAgent
) is an Identity and Access Management (IAM) role
that grants the service account the permissions to manage cluster resources. If
you remove this role binding from the service account, the default service
account becomes unbound from the project, which can prevent you from deploying
applications and performing other cluster operations.
To see if the service account is removed from your project, you can use the Google Cloud console or Google Cloud CLI.
Console
In the Google Cloud console, go to the IAM & Admin page.
gcloud
Run the following command:
gcloud projects get-iam-policy PROJECT_ID
Replace
PROJECT_ID
with your project ID.
If the dashboard or the command doesn't display container-engine-robot
among
your service accounts, the role is unbound.
To restore the Kubernetes Engine Service Agent role
(roles/container.serviceAgent
) binding, run the following commands:
PROJECT_NUMBER=$(gcloud projects describe "PROJECT_ID" \
--format 'get(projectNumber)') \
gcloud projects add-iam-policy-binding PROJECT_ID \
--member "serviceAccount:service-${PROJECT_NUMBER?}@container-engine-robot.iam.gserviceaccount.com" \
--role roles/container.serviceAgent
Confirm that the role binding is restored:
gcloud projects get-iam-policy $PROJECT_ID
If you see the service account name along with the container.serviceAgent
role, the role binding is restored. For example:
- members:
- serviceAccount:service-1234567890@container-engine-robot.iam.gserviceaccount.com
role: roles/container.serviceAgent
Enable the Compute Engine default service account
The service account used for the node pool is usually the Compute Engine default service account. If this default service account is deactivated, your nodes might fail to register with the cluster.
To see if the service account is deactivated in your project, you can use the Google Cloud console or gcloud CLI.
Console
In the Google Cloud console, go to the IAM & Admin page.
gcloud
- Run the following command:
gcloud iam service-accounts list --filter="NAME~'compute' AND disabled=true"
If the service account is deactivated, run the following command to enable the service account:
gcloud iam service-accounts enable PROJECT_ID-compute@developer.gserviceaccount.com
Replace PROJECT_ID
with your project ID.
For more information, see Troubleshoot node registration.
Error 400/403: Missing edit permissions on account
If your service account is deleted, you might see a missing edit permissions error. To learn how to troubleshoot this error, see Error 400/403: Missing edit permissions on account.
What's next
If you need additional assistance, reach out to
Cloud Customer Care.