Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GCE Service Account with Compute Instance Admin permissions

Tags:

google-compute-engine

google-iam

I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles: Custom Compute Image User + Deletion rights Compute Admin Compute Instance Admin (beta) Kubernetes Engine Developer Logs Writer Logs Viewer Pub/Sub Editor Source Repository Reader Storage Admin Unfortunately, when I ssh into this cronjob runner instance and then run:

sudo gcloud compute --project  {REDACTED} instances create e-latest \
    --zone {REDACTED} --machine-type n1-highmem-8 --subnet default \
    --maintenance-policy TERMINATE  \
    --scopes  https://www.googleapis.com/auth/cloud-platform \
    --boot-disk-size 200  \
    --boot-disk-type pd-standard --boot-disk-device-name e-latest \
    --image {REDACTED} --image-project {REDACTED} \
    --service-account NAME_OF_SERVICE_ACCOUNT \ 
    --accelerator type=nvidia-tesla-p100,count=1 --min-cpu-platform Automatic

I get the following error:

The user does not have access to service account {NAME_OF_SERVICE_ACCOUNT}. User: {NAME_OF_SERVICE_ACCOUNT} . Ask a project owner to grant you the iam.serviceAccountUser role on the service account.

Is there some other privilege besides compute instance admin that I need to be able to create instances with my instance?

Further notes: (1) when I try to not specify --service-account the error is the same except that the service account my user doesn't have access to is the default '[email protected]'. (2) adding/removing sudo doesn't change anything

like image 659
Sam Shleifer Avatar asked Jun 06 '18 13:06

Sam Shleifer

People also ask

What are Compute Engine service accounts and permissions?

This page describes Compute Engine service accounts and service account permissions, which can be limited by both access scopes that apply to VM instances, and Identity and Access Management (IAM) roles that apply to service accounts.

How do I check that my service account has the correct permissions?

Check that the service account you are using to run that command has the proper Compute Engine role. You can do this here: IAM & admin > IAM. For checking that the service account has the correct permissions run these commands in the Cloud Shell:

How many service accounts can an instance of an instance have?

An instance can have only one service account. Two types of service accounts are available to Compute Engine instances: User-managed service accounts include new service accounts that you explicitly create and the Compute Engine default service account. You can create and manage your own service accounts using Identity and Access Management.

What is service account user in instanceadmin?

When granted together with roles/compute.instanceAdmin.v1 , roles/iam.serviceAccountUser gives members the ability to create and manage instances that use a service account. Specifically, granting roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together gives members permission to: Create an instance that runs as a service account.

Video Answer

2 Answers

Creating an instance that uses a service account requires you have the compute.instances.setServiceAccount permission on that service account. To make this work, grant the iam.serviceAccountUser role to your service account (either on the entire project or on the specific service account you want to be able to create instances with).

like image 85
David Avatar answered Oct 16 '22 06:10

David

Find out who you are first

  • if you are using Web UI: what email address did you use to login?
  • if you are using local gcloud or terraform: find the json file that contains your credentials for gcloud (often named similarly to myproject*.json) and see if it contains the email: grep client_email myproject*.json

GCP IAM change

  1. Go to https://console.cloud.google.com
  2. Go to IAM
  3. Find your email address
  4. Member -> Edit -> Add Another Role -> type in the role name Service Account User -> Add

(You can narrow it down with a Condition, but lets keep it simple for a while).

like image 3
kubanczyk Avatar answered Oct 16 '22 08:10

kubanczyk
Sign in to Comment

Related questions

Is there a maximum number of service accounts that a project can have in the google cloud platform?
How do I Configure Google Compute Engine to use HTTPS for nodejs server?
gCloud / GCE Disk Size warning - is it meaningful?
Terminate google cloud compute engine instance with shell/bash script
Cannot SSH Google Cloud Instance -
How do I receive notification if a Google Compute Engine instance restarts or migrates on maintenance?
Unable to connect to HTTP service running on Google Compute Engine VM instance
Is there anyway I can use preemptible instance for dataflow jobs?
access kubernetes storage from multiple pods with different modes - one pod ReadWrite, other pods ReadOnly
Does Google Cloud Compute Engine allows Ubuntu image?
Custom Domain for Google Compute Engine Server
Startup Script on Windows GCE - Where is it logged?
Google Compute Engine: Internal DNS server and issues with the resolving
Nginx SSL Certificate failed SSL: error:0B080074:x509 (Google Cloud)
Can't delete underlying VM for a node in Kubernetes
Calling Google cloud Vision API's on numpy matrices
How do I mount and format new google compute disk to be mounted in a GKE pod?
Unable to mount a directory on Google Compute Engine using sshfs
Kubernetes on GCE: Ingress Timeout Configuration
Google Compute Engine - Clone Instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!