Docs: clarify GCP service accounts. #2761
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
romilbhardwaj
approved these changes
Nov 13, 2023
Comment on lines
99
to
117
| Note: If you encounter "*RemoveError: 'requests' is a dependency of conda and | ||
| cannot be removed from conda's operating environment*" when running :code:`conda | ||
| install -c conda-forge google-cloud-sdk`, try :code:`conda update --force conda` | ||
| first and rerun the command. | ||
|
|
||
| Note: if you encounter *Authorization Error (Error 400: invalid_request)* with the url generated by :code:`gcloud auth login`, try installing the latest version of the `Google Cloud SDK <https://cloud.google.com/sdk/docs/install>`_ (e.g., with :code:`conda install -c conda-forge google-cloud-sdk`) on **your local machine** (which opened the browser) and rerun the command. | ||
| Note: If you encounter "*Authorization Error (Error 400: invalid_request)*" with | ||
| the url generated by :code:`gcloud auth login`, try installing the latest | ||
| version of the `Google Cloud SDK <https://cloud.google.com/sdk/docs/install>`_ | ||
| (e.g., with :code:`conda install -c conda-forge google-cloud-sdk`) on your local | ||
| machine (which opened the browser) and rerun the command. | ||
|
|
||
| .. tip:: | ||
|
|
||
| If you are using multiple GCP projects, list all the projects by :code:`gcloud projects list` and activate one by :code:`gcloud config set project <PROJECT_ID>` (See `GCP docs <https://cloud.google.com/sdk/gcloud/reference/config/set>`_). | ||
| If you are using multiple GCP projects, list all the projects by :code:`gcloud projects list` and activate one by :code:`gcloud config set project <PROJECT_ID>` (see `GCP docs <https://cloud.google.com/sdk/gcloud/reference/config/set>`_). | ||
|
|
||
| To use service account to access GCP for SkyPilot, see :ref:`here<gcp-service-account>` for instructions. | ||
| **Optional**: To use service accounts to access GCP for SkyPilot, see | ||
| :ref:`here<gcp-service-account>` for instructions. A long-lived service account | ||
| on your local machine can avoid the periodic | ||
| "*google.auth.exceptions.RefreshError: Reauthentication is needed.*" error. |
There was a problem hiding this comment.
Should we wrap these into a note box and clearly enumerate the error and suggested fix in bullet points/table? Otherwise these notes are becoming hard to read and easy to miss.
E.g. something like
.. note::
Here some commonly encountered errors and their fix:
* "*RemoveError: 'requests' is a dependency of conda and
cannot be removed from conda's operating environment*" when running :code:`conda
install -c conda-forge google-cloud-sdk` - run :code:`conda update --force conda`
first and rerun the command.
* "*Authorization Error (Error 400: invalid_request)*" with
the url generated by :code:`gcloud auth login` - install the latest
version of the `Google Cloud SDK <https://cloud.google.com/sdk/docs/install>`_
(e.g., with :code:`conda install -c conda-forge google-cloud-sdk`) on your local
machine (which opened the browser) and rerun the command.
* "*google.auth.exceptions.RefreshError: Reauthentication is needed.*" - use a long-lived service account
on your local machine. See :ref:`here<gcp-service-account>` for instructions.
We can additionally include a separate mention of GCP service account support.
There was a problem hiding this comment.
Now put the errors in a dropdown, which I think makes the installation less daunting. Kept the first two bullets only as the last bullet is technically not encountered in installation.
| 2. In the "Service Accounts" tab in the `IAM & Admin console | ||
| <https://console.cloud.google.com/iam-admin/iam>`__, click on the service | ||
| account to go to its detailed page. Click on the **KEYS** tab, then click on | ||
| **ADD KEY** to add a JSON key. The key will be downloaded automatically. |
There was a problem hiding this comment.
While creating the key, I was trying to look for an option to make it "long-lived" (as suggested by the tip above). Turns out service account keys that you create and download from IAM don't have an expiry time and stay valid until you delete them. Might be worth mentioning
There was a problem hiding this comment.
Added a clarification.
Co-authored-by: Romil Bhardwaj <romil.bhardwaj@berkeley.edu>
Co-authored-by: Romil Bhardwaj <romil.bhardwaj@berkeley.edu>
Co-authored-by: Romil Bhardwaj <romil.bhardwaj@berkeley.edu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The error
has been reported by several users (#2738) for organizations that choose to auto-expire default credentials.
This PR clarifies our docs on how to use GCP service accounts, which avoid this error.
Tested (run the relevant ones):
bash format.shpytest tests/test_smoke.pypytest tests/test_smoke.py::test_fill_in_the_namebash tests/backward_comaptibility_tests.sh