IssueTracker

Issue summary:

The customer is experiencing VPC SC Exceptions without changing the relevant perimeter configuration. The ingress violation is referencing a resource permission that they have never seen, and seem to be unable to whitelist, called "vpcsc.permissions.unavailable".

Work done:

We informed the customer that Based on the provided logs, I observed that the "principal Email" "le...i@sw...m" is attempting to authenticate "google.iam.admin.v1.IAM.ListServiceAccounts" for the project . So you are encountering an error stating "NO\_MATCHING\_ACCESS\_LEVEL."


Upon review, I noticed that customer have restricted the project with the "iam.googleapis.com" service

In order to Allow the user “le...i@sw...m” you can create a ingress rule with From attributes you can select below

Identity: Identities & Groups
User: Select the email ID of the user you want to allow access to
Source: All Sources


For To  attributes, you should specify the following:


Projects: Select the project you want to allow access to
Services: Select the services you want to allow access to
                  Methods: Select all methods and  create  

For more information please follow the document [1]


[1] https://cloud.google.com/vpc-service-controls/docs/troubleshooting#no-matching-access-level




Question to be answered.

[1] Customer is concerned that in the error logs it is showing information " vpc.permissions.unavaialable" and unable to troubleshoot further and asking for the information about the ingress violation. Why is the method or service not mentioned in the ingress violation and unable to troubleshoot further?Could you please find me any public documentation that if any information related to the vpc.permissions.unavailable.?


"targetResourcePermissions": [

"Vpcsc.permissions.unavailable"


[2] I have attached a reference bug which has already raised regarding the same issue So I’m raising a PIT to share with this customer for reference