Comments (8)
maybellineboon
commented on May 24, 2024
Hi @yanghuang1028 ,
Thanks for reaching out. Just to check, did you use the terraform script when deploying your aggregation service deploy and worker?
You will need to run this when creating/updating your worker so that they are provided with the appropriate access. You can update the section below in the <repository>/terraform/gcp/environments/adtech_setup folder with file adtech_setup.auto.tfvars.
# [1] Uncomment below lines if you like Terraform grant needed permissions to
# pre-existing service accounts
# deploy_service_account_email = "<YourDeployServiceAccountName>@<ProjectID>.iam.gserviceaccount.com"
# worker_service_account_email = "<YourWorkerServiceAccountName>@<ProjectID>.iam.gserviceaccount.com"
from trusted-execution-aggregation-service.
yanghuang1028
commented on May 24, 2024
Hi maybellineboon,
I did use the terraform script to update my deploy & worker accounts. But our situation is a bit complex. Due to safety, our company does not allow our project to create a service account(but terraform need to create a frontend account), so we have to use a global project(microsites-sa. it's owned by our company's GCP team) to create a frontend account in advance for the terraform script to use.
As a result, I change the main.tf of the path "terraform/gcp/modules/frontend" so that terraform can run properly. I don't know if this change caused this problem.
our project_id: ecs-1709881683838
our service accounts:
Here are my changes in "terraform/gcp/modules/frontend/main.tf"
click to see the pr details:
If convenient, please help to look at this! I've been stuck at this step for a long time...
Thanks anyway!!
from trusted-execution-aggregation-service.
hostirosti
commented on May 24, 2024
Hi @yanghuang1028,
it looks like you're running into the issue described here: https://stackoverflow.com/questions/68579808/how-to-solve-error-creating-service-googleapi-error-403-permission-iam-servi
The service account / user you use to run terraform needs permission to actAs the service account attached to the Cloud Run Service. --> you need to give that service account / user you use to run terraform the ServiceAccountUser permission.
from trusted-execution-aggregation-service.
yanghuang1028
commented on May 24, 2024
Hi @maybellineboon @hostirosti ,
I used the service account "[email protected]" to run the terraform script, and actually the service accounts I used all have the ServiceAccountUser permission. However, it still threw the Permission 'iam.serviceaccounts.actAs' error, which is a bit wired...
from trusted-execution-aggregation-service.
hostirosti
commented on May 24, 2024
Hi @yanghuang1028,
can you try to grant that permission for [email protected] directly on the 2 service accounts (worker-sa-aggregation-service@microsites-sa.iam.gserviceaccount.com and [email protected]). You find the permission tab on the service account details page itself
Where you can grant access to specific principals:
I also noticed your gcloud config points to a different project (ecs-1709881683838). Is that intended?
You can update this with gcloud config set project microsites-sa
from trusted-execution-aggregation-service.
yanghuang1028
commented on May 24, 2024
Hi @hostirosti ,
Because our company eBay.inc does not allow us to change account permissions ourselves, I asked our own GCP team to grant that permission again. But it still does not work for me ...
ecs-1709881683838 is our exact project id, while "microsites-sa" is a public project which all service accounts in our company are created under this project for managment easily.
from trusted-execution-aggregation-service.
hostirosti
commented on May 24, 2024
Hi @yanghuang1028, you can ask for a consultation meeting through your partner manager contact on Google side. They'll schedule one.
To my knowledge, the service accounts used as part of the deployment need to be created in the project you deploy the aggregation service to. I did some non-extensive testing in this area in the past and was unsuccessful to use a service account created in a different project in some parts of the aggregation service (notably the worker service account, and I assume same for the frontend service account used by Cloud Run).
It looks like the way your company likes to organize / manage service accounts is not supported by GCP to run aggregation service.
from trusted-execution-aggregation-service.
yanghuang1028
commented on May 24, 2024
Hi @hostirosti,
okay, thanks a lot !!
I'll contact with our partner manager to discuss about this. really thanks!!
from trusted-execution-aggregation-service.
Related Issues (20)
- Could you provide encrypted sample report for testing? HOT 1
- Clarifications on aggregation service batches + enhanced debugging possibilities HOT 6
- Aggregation Service: Run a job without output domain. Unable to set domain_optional flag HOT 2
- A Cloud Migration Tool for Aggregation Service: Feedback Requested
- Aggregation Service: AWS worker build issue and workaround HOT 1
- Debugging support in the aggregation service: Feedback Requested HOT 1
- Mismatch between API response and specification for `debug_privacy_epsilon` field HOT 1
- Update Docs HOT 1
- Confused about the output_domain.avro HOT 2
- Invalid value for member: issue when trying to deploy Aggregation Service to GCP HOT 4
- GCP Build container fails to build due to hanging apt-get install HOT 3
- Build Feature: GCP Build to upload zips to GCS HOT 2
- Aggregation service setup notes, snags & suggestions. HOT 1
- Clarification on aggregated report batching and privacy budget exhaustion HOT 6
- Job status is always RECEIVED HOT 9
- Feedback on consolidating Coordinator Services
- Could someone help me validate if I am collecting the reports correctly (attribution-report NODE JS version) HOT 4
- Aggregation job failing in AWS with error DECRYPTION_KEY_NOT_FOUND HOT 4
- Staging environments PRIVACY_BUDGET_AUTHORIZATION_ERROR
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trusted-execution-aggregation-service.