Solved: Unable to delete compute instance

rajeevranjan-1

Need help !! Please refer to error message below.

I am unable to delete instance-20240320-201528. I guess it got created while I was trying to pass on the SSH key and enter the wrong user name by mistake.

Please suggest how to delete this instance. I tried deleting it but got the message ( Failed to delete instance-20240320-201528: Required Current principal doesn't have permission to mutate this resource!' permission)

My trial period is coming to an end and I want to make sure that I clean everything. Appreciate your help.

Editing VM instance "instance-20240320-201528" failed. Error: Required 'Current principal doesn't have permission to mutate this resource!' permission for 'instance-20240320-201528'

rajeevranjan-1

I tried giving the permission through service account.. Do you recommend the command that I can use to assign permission to user q22024.gcpaws@gmail.com". What all role does it need.?

View solution in original post

DamianS

Hello @rajeevranjan-1 ,Welcome on Google Cloud Community.
It looks like this VM has been created for Vertex AI. So following error, it means that you or ServiceAccount does not have permissions to remove this VM.
Please try to assign for your Service Account associated with this instance :

Vertex AI Service Agent IAM role / (roles/aiplatform.serviceAgent)

or

AI Platform Notebooks Service Agent / (roles/notebooks.serviceAgent)

If this VM wasn't created for Vertex AI, please ensure that you and your ServiceAccount attached to your VM have IAM permissions:

* Compute Admin / (roles/compute.admin)

Info how to grant IAM permissions:

https://cloud.google.com/compute/docs/access/managing-access-to-resources#console

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

rajeevranjan-1

Hi ,

Thanks for the quick response.I tried all the possibilities you mentioned. but I end up getting the same ERROR message "Required Current principal doesn't have permission to mutate this resource!' permission) "

please find the attached screenshot , I have tried assigning the roles you suggested. Screenshot 2024-04-30 at 11.35.34 AM.png

DamianS

@rajeevranjan-1

Are you able to paste logs from Logs Explorer for this resource and error ?
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

rajeevranjan-1

Sure , here you go

ERROR 2024-05-01T08:33:33.055697Z [protoPayload.serviceName: compute.googleapis.com] [protoPayload.methodName: v1.compute.instances.delete] [protoPayload.resourceName: projects/aqueous-thought-417603/zones/us-central1-a/instances/instance-20240320-201528] [protoPayload.authenticationInfo.principalEmail: q22024.gcpaws@gmail.com] Required 'Current principal doesn't have permission to mutate this resource!' permission for 'instance-20240320-201528'
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'instance-20240320-201528'"
},
"authenticationInfo": {
"principalEmail": "q22024.gcpaws@gmail.com"
},
"requestMetadata": {
"callerIp": "70.190.152.20",
"callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2024-05-01T08:33:33.424109Z",
"reason": "8uSywAYQGg5Db2xpc2V1bSBGbG93cw",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.delete",
"authorizationInfo": [
{
"resource": "projects/aqueous-thought-417603/zones/us-central1-a/instances/instance-20240320-201528",
"permission": "compute.instances.delete",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/aqueous-thought-417603/zones/us-central1-a/instances/instance-20240320-201528",
"type": "compute.instances"
},
"permissionType": "ADMIN_WRITE"
}
],
"resourceName": "projects/aqueous-thought-417603/zones/us-central1-a/instances/instance-20240320-201528",
"request": {
"@type": "type.googleapis.com/compute.instances.delete"
},
"response": {
"error": {
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'instance-20240320-201528'",
"errors": [
{
"domain": "global",
"message": "Required 'Current principal doesn't have permission to mutate this resource!' permission for 'instance-20240320-201528'",
"reason": "forbidden"
}
],
"code": 403
},
"@type": "type.googleapis.com/error"
},
"resourceLocation": {
"currentLocations": [
"us-central1-a"
]
}
},
"insertId": "-777dyle11rs4",
"resource": {
"type": "gce_instance",
"labels": {
"project_id": "aqueous-thought-417603",
"instance_id": "6780537612904306866",
"zone": "us-central1-a"
}
},
"timestamp": "2024-05-01T08:33:33.055697Z",
"severity": "ERROR",
"labels": {
"compute.googleapis.com/root_trigger_id": "738d7936-0329-49d8-938e-195f1a178227"
},
"logName": "projects/aqueous-thought-417603/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2024-05-01T08:33:33.970621219Z"
}

DamianS

@rajeevranjan-1

It looks like this user "q22024.gcpaws@gmail.com" does not have proper permissions to delete instances.

rajeevranjan-1

I tried giving the permission through service account.. Do you recommend the command that I can use to assign permission to user q22024.gcpaws@gmail.com". What all role does it need.?

rajeevranjan-1

Thanks Damian, I am able to resolve the issue.

DamianS

Fantastic. What you've did to resolve this issue ?