Understanding service account vs scopes for gcloud compute instances

Question

I've created a gcloud compute instance where I would like to perform operations within the same project using the storage.objects.get and firebasedatabase.instances.update scopes.

Each instance is created with the Compute Engine default service account numbers-compute@developer.gserviceaccount.com which has Editor roles within the project. Because of this I assumed the instance would have the required permissions when initialized using

admin.initializeApp({
  credential: admin.credential.applicationDefault()
});

Requesting a firestore instance however results in the error Request had insufficient authentication scopes.

Now I've noticed that if I gcloud compute instances describe my-instance the result mentions both an email and scopes for serviceAccounts:

"serviceAccounts": [
    {
      "email": "numbers-compute@developer.gserviceaccount.com",
      "scopes": [
        "https://www.googleapis.com/auth/devstorage.read_only",
        "https://www.googleapis.com/auth/logging.write",
        "https://www.googleapis.com/auth/monitoring.write",
        "https://www.googleapis.com/auth/pubsub",
        "https://www.googleapis.com/auth/service.management.readonly",
        "https://www.googleapis.com/auth/servicecontrol",
        "https://www.googleapis.com/auth/trace.append"
      ]
    }
  ]

What's the relation between the service account email and the predefined scopes? Is the instance not applying all scopes of the service account?

Even if I want to adjust my scopes I would need some help on translating the storage.objects.get and firebasedatabase.instances.update iam definitions to the https://www.googleapis.com/auth/scope format. (https://www.googleapis.com/auth/firebasedatabase.instances.update does not exist)

Understanding service account vs scopes for gcloud compute instances

Answers (1)

Related Questions