Thanks!

Hi! I need some help in setuping Firebase with Pulumi. It looks like Firebase resources cannot be deployed via normal gcloud authentication. The error message is hinting for using billing/quota_project or service account. Been googling around for this and tried setting quota project explicitly via gcloud but this is not working. I would not want to start using a service account for this if I can avoid it. So, any hints on this would be appreciated! I'm sure this is a solved problem considering Pulumi does have Firebase APIs defined in the first place. The error message I'm getting:

Error when reading or editing FirebaseProject "projects/myproject": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://firebase.googleapis.com|firebase.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check <https://cloud.google.com/apis/docs/system-parameters>.

Hi all! I've been using pulumi for the past year on GCP and came across an issue trying to set up a custom domain mapping by a particular user:

* Error waiting to create DomainMapping: resource is in failed state "Ready:False", message: Caller is not authorized to administer the domain 'api.dev-mgm...'. If you own 'api.dev-mgm...', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: <https://www.google.com/webmasters/verification/verification?domain=api.dev-mgm>... We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify '<http://example.com|example.com>' if you wish to map '<http://subdomain.example.com|subdomain.example.com>').

Is there programmatic way of solving this in pulumi without manually adding the user to google domains?

Dear community I am trying to create an Eventarc Trigger resource configured to have a Cloud Run fully managed service receive events when a file gets finalized in a GCS bucket? Specifically I am getting hung up on the Service Account's IAM permission pertaining to the role "roles/eventarc.events.receiveEvent". Initially I was attempting to create the trigger without a ServiceAccount which resulted in "Error 400: The request was invalid: Triggers with google.cloud.storage.object.v1.finalized type must have a service account specified.". Then upon creating and providing a service account, I encountered the following error: _*"Error 403: Permission "eventarc.events.receiveEvent" denied on "projects/[ORGANIZATION]/serviceAccounts/[SERVICE_ACCOUNT]"*_. And upon then attempting to specify and provide an IAMBinding to the Service Account for the role "roles/eventarc.events.receiveEvent" I get the error "Error 400: Role roles/eventarc.events.receiveEvent is not supported for this resource.". Could anyone please help me out with an example of the service account configuration required? @cold-carpenter-61763, from the issue you were having pertaining to Eventarc Triggers on multiple buckets I think you would have had to provide something like this.

Any help on the matter would be greatly appreciated 🙏

hi there im using 2 SA for google on 2 projects one for bucket creation and one for dns creation how can i tell pulumi to switch between them? The only method i know is using env-var …but this wont work here…Thank you 🙂

having some issues with a number of resources deploying (or attempting to deploy) in the wrong project:

mysql-instance:
    type: gcp:sql:DatabaseInstance
    properties:
      region: us-east4
      databaseVersion: MYSQL_5_7
      settings:
        ipConfiguration:
          authorizedNetworks:
            - value: 0.0.0.0/0
        tier: ${mysqlTier}
      deletionProtection: ${dbProtection}

All resources of that same type have this issue

gcp:sql:DatabaseInstance

I know I can force the project adding that to the resource config, but I shouldn't need to specify it on everything? My pulumi config is set correctly:

config:
  ...
  gcp:project: my-new-proj
  ...

gcloud config list:

[core]
account = <mailto:eph-deployer@old-proj.iam.gserviceaccount.com|eph-deployer@old-proj.iam.gserviceaccount.com>
disable_usage_reporting = True
project = my-new-proj

Your active configuration is: [default]

SA "eph-deployer" is Owner of "my-new-proj" Also in bash env:

GOOGLE_PROJECT=my-new-proj

Hi. Trying to import Firestore into pulumi state but having hard time. Google-native supports Firestore but haven't been able to find one in normal Pulumi GCP module. And to me it looks like google-native resources cannot be imported? All of this is made even harder due to the fact that Firestore cannot be deleted after it has been created and in this case it has been created from UI. And Firestore currently supports only single DB per project so this is now preventing me to let Pulumi to take over and control Firestore configurations

Hi Team, I am getting this error when I am trying to add a member to a google group.

<p>The requested URL <code>/v1beta1/<mailto:ctry-ten-de@circles.asia|ctry-ten-de@circles.asia>/memberships?alt=json</code> was not found on this server.  <ins>That's all we know.</ins>

.

Guys, it would be greatly appreciated if you could assist in resolving above issue.

Hi. I’m having problems trying to use Pulumi to create Google Cloud 2nd gen functions. I’m able to create/manage the function with an event trigger like in the example https://www.pulumi.com/registry/packages/gcp/api-docs/cloudfunctionsv2/function/ However, I’d like to use an http trigger. I know it’s possible to create a 2nd gen function with http trigger because I already did that manually, but cannot find how to reproduce with Pulumi

Hi. I'm getting started using Pulumi with GCP (only have AWS experince so far). I'm not sure whether I should start with

@pulumi/gcp

or

@pulumi/google-native

. How to make the right choice? 🙂

Running into a weird permission issue, I am authenticated with an account that has the Owner permission for the project. I know I can manually create this resource from GCP's console. When I try to run this from pulumi I get a 403. I know for a fact the service account listed exists too. This is the first time I have seen this error actually

* Error creating Job: googleapi: Error 403: The principal (user or service account) lacks IAM permission "iam.serviceAccounts.actAs" for the resource "<mailto:yyyy@xxxx.iam.gserviceaccount.com|yyyy@xxxx.iam.gserviceaccount.com>" (or the resource may not exist).

Hi, I am trying to list all of the projects available in an organization. The docs aren't exactly clear on that. Would the following get an output of each project? I see that it returns an Output<ProjectResult>, but I can't operate on it like in the docs. I need to use .apply to pass functions to work on it. Is this the correct approach? I need the project IDs for adding principals and roles for access from other projects.

ProjectsFunctions.getProject(GetProjectArgs.builder()
            .filter("")
            .build());

Hi, I am new to pulumi. I am using

google-native

and am getting an error when attempting to a create a IAM binding for a dead letter topic. Any help to get past this error would be appreciated. FWIW I've enabled the google IAM api, and am able to create the binding using the gcloud SDK without issues and also create the topic using pulumi. Thank you.

topic_iam_binding_args = pubsub.TopicIamBindingArgs(members=[member], name = dead_letter_topic, role = "roles/pubsub.publisher")
    pubsub.TopicIamBinding(f"topic-iam-binding-dlq-{topic_id}", topic_iam_binding_args)

google-native:pubsub/v1:TopicIamBinding :
    error: error fetching existing IAM Policy: googleapi: Error 501: The service cannot fulfill that request. [code=8606]

Hi. When I create a GKE cluster, a VPC peering connection gets automatically created. However, it doesn't export custom routes by default, and it's required in my setup. Is there a way to manage that setting at cluster creation time?

Hi, when managing a gke cluster, the nodepool is always updated due to version being different, however version is always the same in the config, how can this be fixed?

I’m having an interesting issue using Cloud Run — when I deploy a new revision by updating the image API, pulumi fails because a previous revision has an error, even though the new revision succeeds

Hi, I'm failrly new to Pulumi (and GCP), and I have been following the guide here to set up continuous delivery using Cloud Build to preview and deploy infrastructure changes. This works until I try add a

docker.Image

resource. When I do that I see errors with Docker trying to pull an image (this works locally though) e.g.

docker:image:Image Dockerfile  warning: spawn docker ENOENT
docker:image:Image Dockerfile  ' docker pull <http://eu.gcr.io/data-integrator-dev-367414/api|eu.gcr.io/data-integrator-dev-367414/api>' failed with exit code 1
docker:image:Image Dockerfile  Building image '../../'...
docker:image:Image Dockerfile  error: spawn docker ENOENT
docker:image:Image Dockerfile  ' docker build -f Dockerfile --platform linux/amd64 ../../ -t <http://eu.gcr.io/data-integrator-dev-367414/api:latest|eu.gcr.io/data-integrator-dev-367414/api:latest>' failed with exit code 1
docker:image:Image Dockerfile  error: Error: ' docker build -f Dockerfile --platform linux/amd64 ../../ -t <http://eu.gcr.io/data-integrator-dev-367414/api:latest|eu.gcr.io/data-integrator-dev-367414/api:latest>' failed with exit code 1
docker:image:Image Dockerfile  ' docker build -f Dockerfile --platform linux/amd64 ../../ -t <http://eu.gcr.io/data-integrator-dev-367414/api:latest|eu.gcr.io/data-integrator-dev-367414/api:latest>' failed with exit code -2
docker:image:Image Dockerfile  ' docker pull <http://eu.gcr.io/data-integrator-dev-367414/api|eu.gcr.io/data-integrator-dev-367414/api>' failed with exit code -2

...

Diagnostics:
  docker:image:Image (Dockerfile):
    error: Error: ' docker build -f Dockerfile --platform linux/amd64 ../../ -t <http://eu.gcr.io/data-integrator-dev-367414/api:latest|eu.gcr.io/data-integrator-dev-367414/api:latest>' failed with exit code 1
    
        at /workspace/node_modules/@pulumi/docker.ts:592:15
        at Generator.next (<anonymous>)
        at fulfilled (/workspace/node_modules/@pulumi/docker/docker.js:18:58)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)

    error: spawn docker ENOENT

    warning: spawn docker ENOENT

Has anyone seen this issue before or know what might be causing it?

Hey, I'm getting some errors when trying to create

gcp:datacatalog:Tag

on columns using pulumi. The issue only happens sometimes and it's quite random which columns tags work on and which they don't 😅 One thing that's common for all of them though is that the tags are being successfully created in GCP, I can view them in the console and fetch them using the CLI. The problem is only that pulumi doesn't seem to be able to fetch them and I'm also not able to import them after the fact.

HI I am trying to get ci/cd pipeline running in bitbucket using workload identity federation (oidc). After following the instructions from pulumi I end up with a step like this:

- step:
    name: Update Infrastructure
    oidc: true
    deployment: production
    script:
      - *deps
      - echo $BITBUCKET_STEP_OIDC_TOKEN > /tmp/oidc-token.txt
      - export GOOGLE_CREDENTIALS=credential-config.json
      - pulumi up --yes --cwd ${PULUMI_WORKING_DIRECTORY} -s ${PULUMI_STACK_NAME}

When running this pipeline I get the following error:

Diagnostics:
  gcp:serviceAccount:Account (serviceAccount):
    error: failed to load application credentials.
    To use your default gcloud credentials, run:
    	`gcloud auth application-default login`
    See <https://www.pulumi.com/registry/packages/gcp/installation-configuration/> for details.

Is pulumi supporting oidc workload federated service accounts?

Hi Pulumi Team - I've few queries and any insights will be greatly appreciated. 1.

can we create GKE secrets using pulumi?

2.

can we create secrets in google-secret-manager using pulumi?

3.

can we specify the name for cloudsql instance using pulumi?

Thx.

Hi – We’re trying to use Pulumi to automate Google Cloud Run. Running

pulumi up

hangs for 20 minutes, then results in this version conflict error:

gcp:cloudrun:Service (fut-core-api-staging):
      error: 1 error occurred:
      	* updating urn:pulumi:fut-skills-staging::gcp-skills::gcp:cloudrun/service:Service::fut-core-api-staging: 1 error occurred:
      	* Error updating Service "locations/us-east4/namespaces/fut-skills-staging/services/fut-core-api-staging-d3bb4dc": googleapi: Error 409: Conflict for resource 'fut-core-api-staging-d3bb4dc': version '1669423190235241' was specified but current version is '1669424143299594'.

We tried running

pulumi refresh

then

pulumi up

. This worked one time, but not consistently. Any ideas?

Have created a private GKE stack with Pulumi and typescript, have given the following scopes under oauth (cloud-platform,compute,devstorage, monitoring etc)

The issue I have is that container deploys get stuck in imagepull, failing to pull images. Any particular issue with scope?

Hey, I am receiving an error when trying to deploy this policy:

export const errorOccuredPolicy = new gcp.monitoring.AlertPolicy(
  'some_error_occured',
  {
    combiner: 'OR',
    conditions: [
      {
        conditionThreshold: {
          comparison: 'COMPARISON_GT',
          thresholdValue: 0,
          duration: '60s',
          filter: `
            resource.type="metric" AND
            resource.labels.project_id="my_project_id" AND
            resource.labels.name="<http://logging.googleapis.com/user/MY_USER_DEFINED_METRIC|logging.googleapis.com/user/MY_USER_DEFINED_METRIC>"
          `,
        },
        displayName:
          'an error of some type has occured',
      },
    ],
    displayName: pulumi.interpolate`${stack}: some error occured`,
    notificationChannels: [opsgenieNotificationChannel.id],
  }
);

hi guys, I am using GCP provider with a service account. Instead of setting the

GOOGLE_CREDENTIALS

env variable, I am trying to use gcloud configurations. However, I realised that pulumi is not respecting the active configuration and using default credentials. gcloud configurations looking like this:

➜  ~ gcloud config configurations list
NAME                IS_ACTIVE  ACCOUNT                       
default             False      ...
staging             True       staging..@...<http://iam.gserviceaccount.com|iam.gserviceaccount.com>

and i was expecting pulumi to use staging service account to communicate to the provider. Is it something possible? ps. i disabled the default providers and using NewProvider method.

Is it possible to utilize the

gcp:container:Cluster

deployer with api gateway enabled? I don’t see any reference to it in the API docs. https://cloud.google.com/kubernetes-engine/docs/how-to/deploying-gateways#create-cluster-gateway

Hello Team, Do we have way in pulumi for creating private IP on postgress-GCP?

I hate to whine too much but https://github.com/pulumi/pulumi-gcp/issues/680 was closed by @broad-dog-22463 in the summer and it is still very much broken. I see he is no longer at the Pulumi, but could this get some eyes on it sometimes soon? GCP Instance Templates are very broken in Pulumi and totally unusable.