Private Service Access error code and message

  • 24 February 2022
  • 5 replies

Does anybody know where I can find the error code and error message explanation on this error while trying to create ServiceAttachment in regards to Private Service Connect?


ServiceAttachment definition:


kind: ServiceAttachment


 name: emoji-sa

 namespace: psc-producer


 connectionPreference: ACCEPT_AUTOMATIC


 - my-cluster-us-west1

 proxyProtocol: false


   kind: Service

   name: gke-l4-psc



Error message:


  Type     Reason                          Age                 From                     Message

  ----     ------                          ----                ----                     -------

  Warning  ProcessServiceAttachmentFailed  31s (x21 over 25m)  loadbalancer-controller  error processing service attachment "psc-producer/emoji-sa": "failed to create GCE Service Attachment: googleapi: Error 412: CONDITION_NOT_MET - Subnet resource_type: SUBNETWORK\nresource_name: \"my-cluster-us-west1\"\nproject {\n  canonical_project_id: my-project-id\n}\nscope {\n  scope_type: REGION\n  scope_name: \"us-west1\"\n}\n does not have the purpose PRIVATE_SERVICE_CONNECT"



my-cluster-us-west1 subnet is Private Google Access enabled.


It looks like the subnet you are using for PSC does not have its purpose set correctly, take a look at this page for some guidance on configuration:


Hi @lrpurba 

have you checked @alexmoore’s answer? Does it helps you?

Hi @ilias , and @alexmoore ,


I have read that doc, but still have few questions aka confused :grinning: .


Let say, I have an existing GCP project with GKE configured and has existing subnet. If I want to use PSC:

  • Do I have to create a new subnet?
  • If the answer above is No, can I use existing subnet that is already working in that existing cluster?
  • If the answer is Yes, why can’t I use existing subnet?

Hi @lrpurba 

So this page might provide some more details on these points:


Ultimately the subnet needs to be dedicated to use by PSC, so it cannot be a subnet that you are already using for other services.  Also even if you are using a global external HTTP(S) load balancer, the subnet is still required - see bullet three on that link above.

As of right now you can only set the purpose to “PRIVATE_SERVICE_CONNECT” on subnet creation - which given that the subnet is required to be dedicated simply means if you do want to re-use/re-purpose an existing subnet, you would need to delete it first then recreate it with the correct purpose set.  I assume as another mechanism to ensure that this is a subnet that is dedicated for this use.

Hope that helps, certainly if you have further questions, fire away.

Hi @alexmoore 


I am just curious, why the documentation doesn’t say that we cannot use existing subnet, and it has to be a new subnet or re-use/re-purpose by delete & re-create.


I’ll try to create a new subnet and keep trying this PSC.


