[PERMISSIONS_ERROR]: Required ‘compute.instanceGroups.update’ permission for PROJECT

Encountering a [PERMISSIONS_ERROR] while trying to modify a Google Kubernetes Engine (GKE) Instance Group, even when you possess the compute.instanceGroups.update permission, can be frustrating. This error indicates that the operation failed due to insufficient permissions for the user or service account attempting the update. Resolving this issue requires checking the necessary permissions and adjusting the service account accordingly.

Error Message:

message: "\n\t(1) Google Compute Engine: Not all instances running in IGM after 19.841247345s. Expected 1, running 0, transitioning 1. Current errors: [PERMISSIONS_ERROR]: Required 'compute.instanceGroups.update' permission for 'projects/<PROJECT_ID>/zones/<ZONE>/instanceGroups/<INSTANCE_GROUP>'\n\t(2) Google Compute Engine: Not all instances running in IGM after 19.972030316s. Expected 1, running 0, transitioning 1.

Follow these steps to resolve the [PERMISSIONS_ERROR]:

1. Sign in to Google Cloud Console: Ensure you are logged in to the Google Cloud Console using the appropriate credentials.
2. Navigate to Compute Engine > Instance groups: Go to the Google Cloud Console dashboard and locate the “Compute Engine” section. Click on “Instance groups” from the menu.
3. Identify the Problematic Instance Group: From the list of instance groups, find the one you’re trying to update and click on its name to access the details.
4. Equivalent REST Link: Scroll down to the bottom of the Instance Group details page. Click on the “EQUIVALENT REST” link. This will provide more information about the instance group configuration, including the service account.
5. Check the Service Account Permissions: In the REST representation, look for the value of serviceAccount. Ensure that this service account has the required compute.instanceGroups.update permission to modify the instance group.
6. Default Service Account: By default, GKE instance groups use the service account with the format PROJECT_ID@cloudservices.gserviceaccount.com. Confirm that this default service account is assigned the Editor role, which should typically include the necessary permissions.
7. Additional Roles (if needed): If granting the Editor role to the default service account doesn’t resolve the issue, you can add the following roles to the default service account:

roles/compute.instanceAdmin.v1
roles/compute.networkUser
roles/compute.imageUser

gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:PROJECT_ID@cloudservices.gserviceaccount.com" \
  --role="roles/compute.instanceAdmin.v1"

gcloud projects add-iam-policy-binding PROJECT\
  --member="serviceAccount:PROJECT_ID@cloudservices.gserviceaccount.com" \
  --role="roles/compute.networkUser"

gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:PROJECT_ID@cloudservices.gserviceaccount.com" \
  --role="roles/compute.imageUser"

Cause

The error occurs when the service account associated with the GKE instance group lacks the required permissions to perform the update. By default, newly created GKE instance groups use the Google APIs Service Agent with the format PROJECT_ID@cloudservices.gserviceaccount.com, which is granted the Editor role. However, in some cases, additional roles may be necessary depending on the operations being performed on the instance group.

By following the above steps, you can identify and rectify any permissions issues, ensuring a smooth update process for your GKE Instance Group.