1

I have an instance running with access scope 'Set Access for each API', and explicitly allowing Compute Engine API with Read-Write access as showing in this below image.

API access list

So I logged inside the instance via SSH, and I tried to run this command:-

gcloud compute instances list

and I got an error:

- Required 'compute.zones.list' permission for 'projects/dotted-hxxl-xxx'

My user is having explicitly allowing access to compute Engine API but still I am getting the error. I shouldn't get this error right? What am I missing here?

AWS Learning
  • 47
  • 1
  • 7

2 Answers2

0

when you are logged into an instance, the permissions that you get aren't these of your users but these of the compute engine provided by the metadata server.

  • Go to the compute engine detail and have a look to the Service Account section.
  • If there is a service account, check the permissions of it
  • If not, add a service account on your VM (you will need to stop it to perform this operation)
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • hi, for checking the permissions you mean the IAM policies right?, I did, and it has only 'Storage List Objects'. So do you mean, I need to give permission for it, explicitly,? – AWS Learning Nov 30 '20 at 16:26
  • perform a `gcloud config list`, you will see the service account of your VM. And then grant the required permissions on it. – guillaume blaquiere Nov 30 '20 at 19:47
0
  1. stop the compute engine instance

gcloud compute instances stop instance-1 --zone us-central1-c

  1. get the service account of the instance

gcloud compute instances describe instance-1 --zone us-central1-c | grep email

  1. assign the role roles/compute.instanceAdmin to the service account

gcloud projects add-iam-policy-binding your_project -- member="serviceAccount:SERVICE_ACCOUNT_ID@your_project.iam.gserviceaccount.com" --role="roles/compute.instanceAdmin"

  1. start the instance

gcloud compute instances start instance-1 --zone us-central1-c

  1. ssh to the instance

gcloud compute ssh instance-1 --zone us-central1-c

  1. run the gcloud command

gcloud compute instances list

Also read about the difference between IAM roles and OAuth scopes

When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.

Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth

marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • Thanks for this detailed answer, correct me if I am wrong, IAM roles assigned the permission on service accounts, and Oauth scopes defined the scopes to which they (means service account) can access. If IAM instance admin is allowed on service account but the scope is default scope, so gcloud can't get the results, right? – AWS Learning Dec 02 '20 at 06:08
  • No, gcloud will get the results if IAM is allowed on service account and default scope. You can just restrict the sevice account with scope. For example, only if I create a VM with default compute engine service account, then I will be able to restrict the access with scope. If I create a VM with a custom service account, then I can use only the default scope. – marian.vladoi Dec 02 '20 at 16:02
  • also please read this [link](https://stackoverflow.com/questions/65103633/what-happens-when-re-authenticating-the-service-account-with-gcloud/65115204#65115204) – marian.vladoi Dec 02 '20 at 21:06