Reputation: 673
Update default compute service account permission in google cloud?
default service account does not have access to cloud sql and has only read only access to storage. I tried adding cloud sql admin and storage admin permission to defautl service account but that does not seems to work. I know it can be solved by using another service account that have these permission and using that when creating compute instance. I am just curious to know why updating permission of default compute does not work?
Upvotes: 2
Views: 2972
Answers (2)
Reputation: 76749
In the Cloud IAM Admin you have to select your Default Service Account by hitting on that pen to the right; then a side.bar will pop up, where you can assign the following roles: Cloud SQL Admin, Cloud SQL Client, Cloud SQL Editor, Cloud SQL Viewer. it's the default role is Editor.
Upvotes: 0
Reputation: 21
It seems that updating the permissions on the Compute Engine default service account is not enough to set the correct level of access you are trying to give to your Compute Engine instance, since, as described here:
When you set up an instance to run as a service account, the level of access the service account has is determined by the combination of access scopes granted to the instance and IAM roles granted to the service account.
From my understanding you are only granting IAM roles to the service account, so, in order to give the desired access level, you should also update the Access scopes for your Compute Engine instance.
When you create a new Compute Engine instance, under Access scopes, it is selected "Allow default access" by default as you can see here New instance. This default access has Cloud SQL access disabled and Cloud Storage access as read-only.
You can refer to this documentation which explains how to change the access scopes for a Compute Engine instance:
To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.
Once you stop your instance, you can change the Access scopes to either "Set access for each API" or to "Allow full access to all Cloud APIs".
If you choose to set access for each API, you will have to search for "Cloud SQL" and then select "Enabled" and also for "Storage" and select the desired option (Read Only, Write Only, Read Write, Full)
For more information on Access Scopes please refer to this doc and for more information on running Compute Engine instances as service account (including the default service account) please see this doc.
Upvotes: 2
Related Questions
- How to Update Roles of Existing Service Accounts - Google Cloud Console
- What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?
- GCP: Compute Engine Default Service Account missing
- Granting full gcs bucket permissions to a GCP service account
- Service accounts permissions
- Changing Permissions of Google Container Engine Cluster
- Permissions required to add a service account to an instance and grant access scopes
- Google cloud service account permissions to CloudSQL
- How to change the scope of a Google Compute Engine service account to write data to a Google Cloud Storage bucket?
- Change Google Cloud Compute Permissions after creation