Docker-Machine do not work with Google Cloud service account

Question

I Create a google compute instance with service account

gcloud --project my-proj compute instances create test1 \
--image-family "debian-9" --image-project "debian-cloud" \
--machine-type "g1-small" --network "default" --maintenance-policy "MIGRATE" \
--service-account "gke-build-robot@myproj-184015.iam.gserviceaccount.com" \
--scopes "https://www.googleapis.com/auth/cloud-platform" \
--tags "gitlab-runner" \
--boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "$RESOURCE_NAME" \
--metadata register_token=mytoken,config_bucket=gitlab_config,runner_name=test1,gitlab_uri=myuri,runner_tags=backend \
--metadata-from-file "startup-script=startup-scripts/prepare-runner.sh"

Log to instance though ssh: gcloud compute --project "myproj" ssh --zone "europe-west1-b" "gitlab-shared-runner-pool"

After install and configure docker machine. i try create instance:

     docker-machine create --driver google --google-project myproj test2
    Running pre-create checks...
    (test2) Check that the project exists
    (test2) Check if the instance already exists
    Creating machine...
    (test2) Generating SSH Key
    (test2) Creating host...
    (test2) Opening firewall ports
    (test2) Creating instance
    (test2) Waiting for Instance
Error creating machine: Error in driver during machine creation: Operation error: {EXTERNAL_RESOURCE_NOT_FOUND  The resource '1045904521672-compute@developer.gserviceaccount.com' of type 'serviceAccount' was not found. []}

1045904521672-compute@developer.gserviceaccount.com is my default account. I don;t understand why it used. Because activated is gke-build-robot@myproj-184015.iam.gserviceaccount.com

gcloud config list
[core]
account = gke-build-robot@myproj-184015.iam.gserviceaccount.com
disable_usage_reporting = True
project = novaposhta-184015
Your active configuration is: [default]

 gcloud auth list
                      Credentialed Accounts
ACTIVE  ACCOUNT
*       gke-build-robot@myproj-184015.iam.gserviceaccount.com

Can some one explain me, what i do wrong?

Answer 1

There was double problem.

• First of all, docker-machine can't work with specific service account, at least in 0.12 and 0.13 version.
• Docker+Machine google driver have only scope parameter and can't get specific one.
  So Instance where docker+machine was installed is work fine with specified sa. But instance that was created with docker+machine, must have default service account.
  And when during debug, I turn off it.
  I've got this error as a result.

Answer 2

A similar issue (bosh-google-cpi-release issue 144) suggests somehow the

This error message is unclear, particularly because the credentials which also need to be specified in the manifest may be associated with another account altogether.

The default service_account for the bosh-google-cpi-release is set to "default" if it is not proactively set by the bosh manifest, so this will happen anytime you use service_scopes instead of a service_account.

While you are not using bosh-google-cpi-release, the last sentence made me double-check the gcloud reference page, in particular gcloud compute instance create.

A service account is an identity attached to the instance. Its access tokens can be accessed through the instance metadata server and are used to authenticate applications on the instance.
The account can be either an email address or an alias corresponding to a service account. You can explicitly specify the Compute Engine default service account using the 'default' alias.

If not provided, the instance will get project's default service account.

It is as if your service account is either ignored or incorrect (and falls back to the project default's one)

See "Creating and Enabling Service Accounts for Instances" to double-check its value:

Usually, the service account's email is derived from the service account ID, in the format:

[SERVICE-ACCOUNT-NAME]@[PROJECT_ID].iam.gserviceaccount.com

Or try setting first the service scope and account.