I encounter the following warning:

WARNING: You do not appear to have access to project [$PROJECT] or it does not exist.

after running the following commands locally:

1. Activate and set a service account:

   gcloud auth activate-service-account \
   $SERVICE_ACCOUNT \
   --key-file=key.json
   
   #=>
   
   Activated service account credentials for: [$SERVICE_ACCOUNT]
   

2. Select $PROJECT as the above service account:

   gcloud config set project $PROJECT
   
   #=>
   
   Updated property [core/project].
   WARNING: You do not appear to have access to project [$PROJECT] or it does not exist.
   

My own GCP account is associated with the following roles:

• App Engine Admin
• Cloud Build Editor
• Cloud Scheduler Admin
• Storage Object Creator
• Storage Object Viewer

Why is this service account unable to set $PROJECT? Is there a role or permission I am missing?

I believe this is an erroneous warning message. I see the same warning message on my service account despite the fact that the account has permissions on my GCP project and can successfully perform necessary actions.

You might be seeing this error due to an unrelated problem. In my case, I was trying to deploy to AppEngine from a continuous integration environment (Circle CI), but I hadn't enabled the App Engine Admin API. Once I enabled the API, I was able to deploy successfully.

The solution to this issue might be to enable the Cloud Resource Manager API in your Google Cloud Console here by clicking enable.

I encountered this error when I started out with Google CLoud Platform.

The issue was that I configured/set a non-existing project (my-kube-project) as my default project using the command below:

gcloud config set project my-kube-project

Here's how I solved it:

I had to list my existing projects first:

gcloud projects list

And then I copied the ID of the project that I wanted, and ran the command again this time:

gcloud config set project gold-magpie-258213

And it worked fine.

Note: You cannot change the ID of a project's ID or Number,you can only change the Name.

That's all.

I hope this helps

I believe this is an erroneous warning message. I see the same warning message on my service account despite the fact that the account has permissions on my GCP project and can successfully perform necessary actions.

You might be seeing this error due to an unrelated problem. In my case, I was trying to deploy to AppEngine from a continuous integration environment (Circle CI), but I hadn't enabled the App Engine Admin API. Once I enabled the API, I was able to deploy successfully.

I was encountering the same error when trying to deploy an app to Google App Engine via a service account configured in CircleCI and resolved it by having the following roles (permissions) attached to my service role:

• App Engine Deployer
• App Engine Service Admin
• Cloud Build Editor
• Storage Object Creator
• Storage Object Viewer

I also had the App Engine Admin API enabled, but not the Cloud Resource Manager API.

The

WARNING: You do not appear to have access to project [$PROJECT_ID] or it does not exist.

warning will appear if there isn't at least one role granted to the service account that contains the resourcemanager.projects.get permission.

In other words, the warning will appear if the result of the following commands is blank:

1. Gather all roles for a given $SERVICE_ACCOUNT (this works for any account, not just service accounts):

   gcloud projects get-iam-policy $PROJECT_ID \
   --flatten='bindings[].members' \
   --format='table(bindings.role)' \
   --filter="bindings.members:${SERVICE_ACCOUNT}"
   
   
   #=>
   
   ROLE
   . . .
   

2. For each $ROLE gathered above, either:

   gcloud iam roles describe $ROLE \
   --flatten='includedPermissions' \
   --format='value(includedPermissions)' \
   --project=$PROJECT_ID | grep \
   --regexp '^resourcemanager.projects.get$'
   

   if the $ROLE is a custom (projects/$PROJECT_ID/roles/$ROLE), or:

   gcloud iam roles describe roles/$ROLE \
   --flatten='includedPermissions' \
   --format='value(includedPermissions)' | grep \
   --regexp '^resourcemanager.projects.get$'
   

   if the $ROLE is a curated (roles/$ROLE).

Note: the difference between gcloud command formatting for custom and curated roles is what makes listing all permissions associated with all roles associated with a single account difficult.

If you have confirmed that none of the roles associated with a service account contain the resourcemanager.projects.get permission, then either:

• Update at least one of the custom roles associated with the service account with the resourcemanager.projects.get permission:

  gcloud iam roles update $ROLE \
  --add-permissions=resourcemanager.projects.get \
  --project=$PROJECT_ID
  
  #=>
  
  description: $ROLE_DESCRIPTION
  etag: . . .
  includedPermissions:
  . . .
  - resourcemanager.projects.get
  . . .
  name: projects/$PROJECT_ID/roles/$ROLE
  stage: . . .
  title: $ROLE_TITLE
  

  Warning: make sure to use the --add-permissions flag here when updating, as the --permissions flag will remove any other permissions the custom role used to have.

• Create a custom role:

  gcloud iam roles create $ROLE \
  --description="$ROLE_DESCRIPTION" \
  --permissions=resourcemanager.projects.get \
  --project=$PROJECT_ID \
  --title='$ROLE_TITLE'
  
  #=>
  
  Created role [$ROLE].
  description: $ROLE_DESCRIPTION
  etag: . . .
  includedPermissions:
  - resourcemanager.projects.get
  name: projects/$PROJECT_ID/roles/$ROLE
  stage: . . .
  title: $ROLE_TITLE
  

  and associate it with the service account:

  gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member=serviceAccount:$SERVICE_ACCOUNT \
  --role=projects/$PROJECT_ID/roles/$ROLE
  
  #=>
  
  Updated IAM policy for project [$PROJECT_ID].
  auditConfigs:
  . . .
  

• Associate the service account with a curated role that already contains the resourcemanager.projects.get permission, which has been discussed above.

  If you want to know which curated roles already contain the resourcemanager.projects.get permission and don't want to craft a complex shell loop, it might be easier to go here and filter all roles by Permission:resourcemanager.projects.get.

Note: if you are running into issues, be sure to read the requirements for granting access to resources here.

In my case, I received this error because I entered the project's name (e.g. sample-app) after gcloud config set project rather than the project's ID. These may be the same in some cases, but if you use a generic name (like sample-app), Google will probably assign some extra numbers to the name (e.g. sample-app-398022).

(To find your project's ID, go to https://console.cloud.google.com/welcome and select your project within the top dropdown menu. You'll then be taken to a 'Welcome' page that shows your project's name (e.g. sample-app) and its ID (e.g. sample-app-398021). The ID will also be shown below the project name when you first creating your project.)

I suggest you use a role that contains compute.projects.list. The "viewer" kinds of roles are useful here or you can create a custom role tailored to your specific needs.