Menu
I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles:
Custom Compute Image User + Deletion rights
Compute Admin
Compute Instance Admin (beta)
Kubernetes Engine Developer
Logs Writer
Logs Viewer
Pub/Sub Editor
Source Repository Reader
Storage Admin
Unfortunately, when I ssh into this cronjob runner instance and then run:
sudo gcloud compute --project {REDACTED} instances create e-latest \
--zone {REDACTED} --machine-type n1-highmem-8 --subnet default \
--maintenance-policy TERMINATE \
--scopes https://www.googleapis.com/auth/cloud-platform \
--boot-disk-size 200 \
--boot-disk-type pd-standard --boot-disk-device-name e-latest \
--image {REDACTED} --image-project {REDACTED} \
--service-account NAME_OF_SERVICE_ACCOUNT \
--accelerator type=nvidia-tesla-p100,count=1 --min-cpu-platform Automatic
I get the following error:
The user does not have access to service account {NAME_OF_SERVICE_ACCOUNT}. User: {NAME_OF_SERVICE_ACCOUNT} . Ask a project owner to grant you the iam.serviceAccountUser role on the service account.
Is there some other privilege besides compute instance admin that I need to be able to create instances with my instance?
Further notes: (1) when I try to not specify --service-account the error is the same except that the service account my user doesn't have access to is the default '[email protected]'.
(2) adding/removing sudo doesn't change anything
659
This page describes Compute Engine service accounts and service account permissions, which can be limited by both access scopes that apply to VM instances, and Identity and Access Management (IAM) roles that apply to service accounts.
Check that the service account you are using to run that command has the proper Compute Engine role. You can do this here: IAM & admin > IAM. For checking that the service account has the correct permissions run these commands in the Cloud Shell:
An instance can have only one service account. Two types of service accounts are available to Compute Engine instances: User-managed service accounts include new service accounts that you explicitly create and the Compute Engine default service account. You can create and manage your own service accounts using Identity and Access Management.
When granted together with roles/compute.instanceAdmin.v1 , roles/iam.serviceAccountUser gives members the ability to create and manage instances that use a service account. Specifically, granting roles/iam.serviceAccountUser and roles/compute.instanceAdmin.v1 together gives members permission to: Create an instance that runs as a service account.
Creating an instance that uses a service account requires you have the compute.instances.setServiceAccount permission on that service account. To make this work, grant the iam.serviceAccountUser role to your service account (either on the entire project or on the specific service account you want to be able to create instances with).
85
gcloud or terraform: find the json file that contains your credentials for gcloud (often named similarly to myproject*.json) and see if it contains the email: grep client_email myproject*.json
Service Account User -> Add(You can narrow it down with a Condition, but lets keep it simple for a while).
3
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
