How to install monitoring agent on GCP Compute VM that is set to a Service Account?

Question

I have a GCP VM set to use a service account so in the VM instance details on the console:

Service account

blarg@MYPROJECT.iam.gserviceaccount.com

When I run the command for installing the monitoring agent I saw this:

Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:

• Required 'compute.instances.setMetadata' permission for 'projects/MYPROJECT/zones/us-central1-a/instances/MYVM'

I gave the service account the Compute Admin role on the instance (not the whole project) and re-ran. The results are then more confusing:

Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:

• The user does not have access to service account > 'blarg@MYPROJECT.iam.gserviceaccount.com'. User: 'blarg@MYPROJECT.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

Do I really grant the iam.serviceAccountUser role on the service account so it can use itself? Is there another way I can run the script as me rather than the service account since I am a project admin/owner?

Answer 1

That's correct, per the official documentation of the compute admin role:

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Link: https://cloud.google.com/compute/docs/access/iam