Create GCE instance using Ansible, permissions issues

Question

I'm following the documentation for creating an instance using Ansible http://docs.ansible.com/ansible/guide_gce.html

However, when I run this I get:

Required 'compute.zones.list' permission for 'projects/quick-line-137923'

I don't know where I'm meant to configure these permissions for a service account, because the documentation seems to suggest that you can only configure permissions for a service account on an instance that is already created: "You can set scopes only when you create a new instance"

When I try to grant IAM permissions for this service account (admin), it isn’t in the list and when I select the service account in ‘service accounts’ I’m asked to add a member for domain wide permissions, nowhere to assign permissions to this service account for the compute.zones.list

Any help?

My playbook looks like so:

- name: "Create instance(s)"
  hosts: localhost
  gather_facts: no
  connection: local

  vars:
    machine_type: n1-standard-1 # default
    image: ubuntu-1404-lts
    service_account_email: [email protected]
    credentials_file: /Users/Mike/Downloads/project.json
    project_id: quick-line-137923

  tasks:
    - name: "Launch instances"
      gce:
          instance_names: dev
          machine_type: "{{ machine_type }}"
          image: "{{ image }}"
          service_account_email: "{{ service_account_email }}"
          credentials_file: "{{ credentials_file }}"
          project_id: "{{ project_id }}"
          tags: webserver
      register: gce

    - name: "Wait for SSH to come up"
      wait_for: host={{ item.public_ip }} port=22 delay=10 timeout=60
      with_items: gce.instance_data

    - name: "Add host to groupname"
      add_host: hostname={{ item.public_ip }} groupname=new_instances
      with_items: gce.instance_data

- name: "Manage new instances"
  vars_files:
    - "vars/webserver.yml"
  hosts: new_instances
  connection: ssh
  sudo: True
  roles:
    - geerlingguy.apache
    - geerlingguy.php
    - geerlingguy.drush
    - geerlingguy.mysql

Answer 1

Add the Compute Instance Admin and Service Account Actor roles to the service account.

You also have to activate the service account. The gcloud tool can be used: https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account .