gcloud installed on gce instance with service level accounts permission issues

Question

I launched an instance with service level accounts enabled. For example it has storage-rw set. I verfied that the instance has those. Now whenever i run gsutil ls gs://my_bucket from within the instance I get the error: Failure: unauthorized_client.

gcloud auth list returns

Credentialed accounts:
 - xxxx@developer.gserviceaccount.com (active)

I need to use gcloud sdk from an instance because i need more components other than the gcutil and gsutil.

So my question is how can I authorize gcloud to use the xxxx@developer.gserviceaccount.com account and thus the permissions only specified on the instance and not my personal user account which has full permissions to everything?

Answer 1

The gcloud CLI definitely handles Google Compute Engine service accounts. If you see it as "(active)" when you do $ gcloud auth list, that should be sufficient.

Two things can be going wrong here:

1. You are using the wrong gsutil.

   When you install the Google Cloud SDK, it will create google-cloud-sdk/bin/gsutil, and THAT is the one you want to run. Do $ which gsutil to double check. If you're running google-cloud-sdk/platform/gsutil/gsutil, that's the wrong one, and it won't know about anything that gcloud can tell it.

2. The account doesn't have permissions to access the bucket you're trying to inspect. You'll have to ask the owner of the bucket to add it to the project that owns that bucket.

Source: Engineer for the Google Cloud SDK

Answer 2

See "Authenticating to Google Compute Engine" section in this doc: https://developers.google.com/compute/docs/gcutil/