Unable to assign service account to Instance

Question

I am using the below jijna instance creation template in GCP. When I create this I get the below error.

I have already tried giving even Owner and iam.serviceAccountUser permission to xxxxxxxxxx@cloudservices.gserviceaccount.com account.

I have also added xxxxxxxxxx@cloudservices.gserviceaccount.com user with iam.serviceAccountUser role under Access control section as member in my new service account I have created which is test-vm-gke-init-vm@.iam.gserviceaccount.com.

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1663746707027-5e92b3777f488-7748cc3b-a3d3cc8f]: errors:
- code: RESOURCE_ERROR
  location: /deployments/demo-vm/resources/test-vm
  message: "{\"ResourceType\":\"compute.v1.instance\",\"ResourceErrorCode\":\"SERVICE_ACCOUNT_ACCESS_DENIED\"\
    ,\"ResourceErrorMessage\":\"The user does not have access to service account 'serviceAccount:test-vm-gke-init-vm@<myproject>.iam.gserviceaccount.com'.\
    \  User: 'xxxxxxxxxx@cloudservices.gserviceaccount.com'.  Ask a project owner\
    \ to grant you the iam.serviceAccountUser role on the service account\"}"

resources:
- type: compute.v1.instance
  name: {{ properties.name }}
  properties:
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/{{ properties["machineType"] }}
    zone: {{ properties["zone"] }}
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        diskName: disk-{{ env["deployment"] }}
        sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-11-bullseye-v20220822
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT  
    serviceAccounts: 
    - email: serviceAccount:$(ref.{{ properties.name }}-sa.email) 
      scopes:
      - https://www.googleapis.com/auth/devstorage.read_only
      - https://www.googleapis.com/auth/logging.write
      - https://www.googleapis.com/auth/monitoring.write
      - https://www.googleapis.com/auth/servicecontrol
      - https://www.googleapis.com/auth/service.management.readonly
      - https://www.googleapis.com/auth/compute
      - https://www.googleapis.com/auth/cloud-platform


- name: {{ properties.name }}-sa
  type: gcp-types/iam-v1:projects.serviceAccounts
  properties:
    accountId: {{ properties.name }}-gke-init-vm
    displayName: {{ properties.name }}-gke-init-vm
  accessControl:
    gcpIamPolicy:
      bindings:
      - role: roles/iam.serviceAccountUser
        members:
        - "serviceAccount:<myproject>@cloudservices.gserviceaccount.com"

- name: {{ env["project"] }}-{{ properties.name }}-initnode-sa-binding
  type: gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding
  properties:
    resource: {{ env["project"] }}
    member: serviceAccount:$(ref.{{ properties.name }}-sa.email)
    role: roles/container.clusterAdmin 



- name: {{ env["project"] }}-{{ properties.name }}-initnode-sa-binding-v2
  type: gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding
  properties:
    resource: {{ env["project"] }}
    member: serviceAccount:$(ref.{{ properties.name }}-sa.email)
    role: roles/container.admin 

Answer 1

For reference for other communities for this issue

specify the reference below to resolve the issue.

$(ref.{{ properties.name }}-sa.email)