Reputation: 1866
GCE Service Account with Compute Instance Admin permissions
I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles:
Custom Compute Image User + Deletion rights
Compute Admin
Compute Instance Admin (beta)
Kubernetes Engine Developer
Logs Writer
Logs Viewer
Pub/Sub Editor
Source Repository Reader
Storage Admin
Unfortunately, when I ssh into this cronjob runner instance and then run:
sudo gcloud compute --project {REDACTED} instances create e-latest \
--zone {REDACTED} --machine-type n1-highmem-8 --subnet default \
--maintenance-policy TERMINATE \
--scopes https://www.googleapis.com/auth/cloud-platform \
--boot-disk-size 200 \
--boot-disk-type pd-standard --boot-disk-device-name e-latest \
--image {REDACTED} --image-project {REDACTED} \
--service-account NAME_OF_SERVICE_ACCOUNT \
--accelerator type=nvidia-tesla-p100,count=1 --min-cpu-platform Automatic
I get the following error:
The user does not have access to service account {NAME_OF_SERVICE_ACCOUNT}. User: {NAME_OF_SERVICE_ACCOUNT} . Ask a project owner to grant you the iam.serviceAccountUser role on the service account.
Is there some other privilege besides compute instance admin that I need to be able to create instances with my instance?
Further notes: (1) when I try to not specify --service-account the error is the same except that the service account my user doesn't have access to is the default '[email protected]'.
(2) adding/removing sudo doesn't change anything
Upvotes: 7
Views: 11827
Answers (3)
Reputation: 5959
Find out who you are first
If you are using local gcloud or terraform: find the json file that contains your credentials (often named similarly to myproject*.json) and:
- See if it contains the project_id:
grep project_id myproject*.json - See if it contains the email:
grep client_email myproject*.json
GCP IAM change
- Go to https://console.cloud.google.com
- On top of the page, select the project matching project_id
- Go to IAM & Admin then -> IAM
- Find the same email address
- Edit principal -> Add Another Role -> type in the role name:
Service Account User-> click Add
(You can narrow it down with a Condition, but lets keep it simple for a while).
Upvotes: 6
Reputation: 4065
Make sure that NAME_OF_SERVICE_ACCOUNT is service account from current project.
If you change project ID, and don't change NAME_OF_SERVICE_ACCOUNT, then you will encounter this error.
This can be checked on Google Console -> IAM & Admin -> IAM. Then look for service name [email protected] and check if numbers at the beginning are correct. Each project will have different numbers in this service name.
Upvotes: 0
Reputation: 9731
Creating an instance that uses a service account requires you have the compute.instances.setServiceAccount permission on that service account. To make this work, grant the iam.serviceAccountUser role to your service account (either on the entire project or on the specific service account you want to be able to create instances with).
Upvotes: 6
Related Questions
- What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?
- GCE instance ignoring service account roles
- A service account has "Compute Admin" permission but an error says that compute.instances.list is needed
- Permissions required to add a service account to an instance and grant access scopes
- Which permissions does a service account need to deploy to App Engine?
- Google Compute Engine VM instance access permission
- How to admin GCE user accounts from Cloud console?
- Using service accounts on Compute Engine instances
- How to grant a user account access for GCE Cloud Storage
- gcloud installed on gce instance with service level accounts permission issues