Reputation: 67
I am not able to access compute engine API with gcloud?
I have an instance running with access scope 'Set Access for each API', and explicitly allowing Compute Engine API with Read-Write access as showing in this below image.
So I logged inside the instance via SSH, and I tried to run this command:-
gcloud compute instances list
and I got an error:
- Required 'compute.zones.list' permission for 'projects/dotted-hxxl-xxx'
My user is having explicitly allowing access to compute Engine API but still I am getting the error. I shouldn't get this error right? What am I missing here?
Upvotes: 1
Views: 1553
Answers (2)
Reputation: 8056
- stop the compute engine instance
gcloud compute instances stop instance-1 --zone us-central1-c
- get the service account of the instance
gcloud compute instances describe instance-1 --zone us-central1-c | grep email
- assign the role
roles/compute.instanceAdminto the service account
gcloud projects add-iam-policy-binding your_project -- member="serviceAccount:SERVICE_ACCOUNT_ID@your_project.iam.gserviceaccount.com" --role="roles/compute.instanceAdmin"
- start the instance
gcloud compute instances start instance-1 --zone us-central1-c
- ssh to the instance
gcloud compute ssh instance-1 --zone us-central1-c
- run the gcloud command
gcloud compute instances list
Also read about the difference between IAM roles and OAuth scopes
When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.
Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth
Upvotes: 0
Reputation: 75715
when you are logged into an instance, the permissions that you get aren't these of your users but these of the compute engine provided by the metadata server.
- Go to the compute engine detail and have a look to the Service Account section.
- If there is a service account, check the permissions of it
- If not, add a service account on your VM (you will need to stop it to perform this operation)
Upvotes: 0
Related Questions
- GCP says "Compute Engine API has not been used in project" but it is enabled already
- Unable to connect google compute engine, getting permission denied error
- Exception accessing Google Cloud Storage from newly created Compute Engine
- GCP Compute Engine API keep requesting
- Connect to compute engine from cloud function
- Unable to connect with Google Compute Engine
- Google Compute Engine API Key
- Error when execute gcloud
- "You don't have permission to enable Compute Engine" with GCloud
- Google Compute Engine: Unable to query API from gcloud terminal