Reputation: 560
What is the difference between Service account, Roles and Access Scopes in GCP?
I am creating gcp instance using below python method:
compute.instances().insert(project=project, zone=zonee, body=config).execute()
In config variable, i have added serviceAccount section:
"serviceAccounts": [
{
"email": SA-email,
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol"
"https://www.googleapis.com/auth/trace.append",
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform"
]
}
]
I am not sure what roles should i assign to this SA-email. If i am mentioning access scopes, does it mean those roles must be assigned to SA-email?
When i run above code. Instance creation is being failed.
I am very confused between SA, Roles and Scopes.
What property should i check to troubleshoot above issue.
Upvotes: 3
Views: 4204
Answers (1)
Reputation: 373
The Service Account is a special Google account that belongs to your application or a Virtual Machine instead of an individual end user . The Service Account act like an Identity associated with an applications , an application uses a service account to authenticate between the application and GCP services so that the users are not directly involved 1.
The Service Account is very unique in that in addition to being an identity, the service account is also a resource which has IAM policy attached to it, these policies determine who can use this Service Account so it is both an identity and a resource.
For example if you grant Bob the compute instance Admin Role with the service account user role he can create and manage compute engine instances that use a service account. After you grant IAM roles to that Service Account you can than assign that Service Account to one or more new virtual machine instances and now Bob will have an admin access to those instances. To sum it up a user account must be granted a service account user role and the service account must be granted a role to access GCP resources.
The Service Account ACCESS SCOPES are the Legacy methods of specifying permissions for your instance and they are used in substitutions of IAM roles. They you used specifically for default or automatically created service accounts based on enabled APIs. Before the existence of IAM roles the Access Scopes were the only way for granting permissions to the service accounts , although they are not the primary way of granting permissions now , you must still set service account access scopes when configuring an instance to run as a service account. However when you are using a custom service account you will not be using access scopes rather you will be using IAM Roles. So when you are using a default Service Account for your compute Instance it will default to use scopes instead of IAM roles.
For your config variable , you can select the access scopes from the complete list Or you can create the custom Service account and assign the IAM role.
Upvotes: 5
Related Questions
- How do I list the roles associated with a gcp service account?
- What are the differences between GCP service accounts and user accounts?
- GCP Authentication OAuth vs Service Accounts
- What is significant difference in GCP default service account & custom service account?
- How do Google OAuth 2.0 Scopes for Google APIs differ from roles and permissions in an IAM on Google Cloud?
- Difference between Google managed service account and default service account in GCP
- Scope of Service Account in GCP
- Understanding GCP IAM between multiple projects
- GCP service accounts use case
- Groups and IAM roles