Search code examples
dockerdocker-machinegoogle-compute-engine

Docker-Machine do not work with Google Cloud service account

I Create a google compute instance with service account

gcloud --project my-proj compute instances create test1 \
--image-family "debian-9" --image-project "debian-cloud" \
--machine-type "g1-small" --network "default" --maintenance-policy "MIGRATE" \
--service-account "gke-build-robot@myproj-184015.iam.gserviceaccount.com" \
--scopes "https://www.googleapis.com/auth/cloud-platform" \
--tags "gitlab-runner" \
--boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "$RESOURCE_NAME" \
--metadata register_token=mytoken,config_bucket=gitlab_config,runner_name=test1,gitlab_uri=myuri,runner_tags=backend \
--metadata-from-file "startup-script=startup-scripts/prepare-runner.sh"

Log to instance though ssh: gcloud compute --project "myproj" ssh --zone "europe-west1-b" "gitlab-shared-runner-pool"

After install and configure docker machine. i try create instance:

     docker-machine create --driver google --google-project myproj test2
    Running pre-create checks...
    (test2) Check that the project exists
    (test2) Check if the instance already exists
    Creating machine...
    (test2) Generating SSH Key
    (test2) Creating host...
    (test2) Opening firewall ports
    (test2) Creating instance
    (test2) Waiting for Instance
Error creating machine: Error in driver during machine creation: Operation error: {EXTERNAL_RESOURCE_NOT_FOUND  The resource '1045904521672-compute@developer.gserviceaccount.com' of type 'serviceAccount' was not found. []}

1045904521672-compute@developer.gserviceaccount.com is my default account. I don;t understand why it used. Because activated is gke-build-robot@myproj-184015.iam.gserviceaccount.com

gcloud config list
[core]
account = gke-build-robot@myproj-184015.iam.gserviceaccount.com
disable_usage_reporting = True
project = novaposhta-184015
Your active configuration is: [default]

 gcloud auth list
                      Credentialed Accounts
ACTIVE  ACCOUNT
*       gke-build-robot@myproj-184015.iam.gserviceaccount.com

Can some one explain me, what i do wrong?

Solution

  • There was double problem.

    • First of all, docker-machine can't work with specific service account, at least in 0.12 and 0.13 version.
    • Docker+Machine google driver have only scope parameter and can't get specific one.
      So Instance where docker+machine was installed is work fine with specified sa. But instance that was created with docker+machine, must have default service account.
      And when during debug, I turn off it.
      I've got this error as a result.