Search code examples
stackdrivergoogle-cloud-debugger

Use GCP debugger but got permission error

I add @google-cloud/debug-agent on my nodejs project which is deployed on GKE.
But I got error:

restify listening to http://[::]:80
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission
@google-cloud/debug-agent Failed to re-register debuggee nodejs-bot: Error: The caller does not have permission

I have checked my GKE have the debug permission. I don't know why the service didn't have permission.

enter image description here

Here is the code I define on my index.ts

import * as tracer from '@google-cloud/trace-agent';
tracer.start();
import * as debug from '@google-cloud/debug-agent';
debug.start();
Solution

  • I found the issue is caused by workload identity, so I just close this feature to fix this issue.

    Because I select to launch the workload identity feature. Every pod which needs to connect GCP service will need to create a service account for these pods. Otherwise, the permission will be blocked.

    https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity