-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracing permissions issues when service_account_key specified #688
Comments
Adding --non_gcp flag helped. |
Currently, flag My suggestion is to setup GKE workload identify correctly and not to use flag Here is the steps on how to set it up The flag |
Thank you for clarification. |
The flag For example, you need to provide --tracing_project_id for CloudESF to send the trace to that project. For tracing, it is the only place using this flag. The flag I think underneath it is using grpc client, If you set environment variable APPLICATION_DEFAULT_CREDENTIAL to your key path, it will use it:
|
Ah yes, you are correct. |
Cool, I believe it is the GOOGLE_APPLICATION_CREDENTIALS that make it work, not the flag |
Just an observation: when --non_gcp flag is set together with --tracing_project_id, a trace property is not added to the log item (trace property is the one which is described here #431) |
@nareddyt do you know? |
I guess we could use |
You are correct @TheSpy. It is because we have two separate project IDs - tracing project ID and deployment project ID. Trace property is filled into access log here:
We make use of the deployment project ID, which we retrieve from metadata server:
We never propagate |
We should send |
I've got this same issue myself, but using ESPv2 with Cloud Run. Latest image I'm using is I deploy via |
Hi @lvl99 , what flags are you passing to ESPv2 on Cloud Run? ESPv2 should auto-detect the service account you specified in
Can you double check this? BTW you should grant a role to the service account, not a permission. Did you grant the Cloud Trace Agent role? |
One more question: Is the service account above from the same project that you deploy ESPv2 to? Or is the service account from a different project? |
Thanks for your reply @nareddyt I've created a custom role which has assigned the permission All roles and service accounts are within the same project as the Cloud Run instance as well. The flags I use to pass to ESPv2 are:
That's about it. I'll try working in |
Thanks for the info. That is very odd, as far as I can tell, everything is set up correctly. This is the first time I've seen permission issues for Cloud Trace. To debug this further, can you deploy with Unfortunately other than the logs, I can't think of other ways to debug this. |
Hello,
I am having issues in GKE environment with workload identity enabled.
image: gcr.io/endpoints-release/endpoints-runtime:2.34.0
I am using a provided service account through --service_account_key parameter which has owner permissions in a project
Endpoints reporting works fine however tracing keeps throwing errors
BatchWriteSpans failed (1 spans, 769 bytes): PERMISSION_DENIED: The caller does not have permission
I have tried querying metadata server and it lists workload identity service accounts
Seems like reporting works through specified service account, however tracing use workload identity. Is that an expected behavior?
My expectation is: when a service account key is defined, both endpoints reporting and tracing works through the same specified service account.
The text was updated successfully, but these errors were encountered: