instance creation failed: Required 'compute.images.useReadOnly'

Question

I have created a dedicated GCP project with images I want to share with people from other organizations. I gave those people a custom role on the whole project with the following permissions:

compute.images.get
compute.images.getFromFamily
compute.images.list
compute.images.useReadOnly
resourcemanager.projects.get
serviceusage.services.get
serviceusage.services.list

But people have reported that they are getting the following error:

instance creation failed: Required 'compute.images.useReadOnly' permissions for <specific image>

I don't understand why they need that permission on the specific image when they have it on all the images of the project.

What am I missing?

I could imagine: * You are using machine images, not (disk) images. Machine images do not contain the disk images IIRC. * The error message may be incomplete and your organization may have policies against it. Could go to Cloud Console -> IAM -> Organization Policies and filter for “trusted image” so you see if you need to use trusted images? — Thorsten Staerk, Nov 28 '21 at 08:44

score 2 · Answer 1 · answered Nov 28 '21 at 09:53

2

Found the issue, it appears the GCP console made the operation when acting as a service account and not as the user itself. That service account didn't have the attached role.

answered Nov 28 '21 at 09:53

hod

51
4

score -1 · Answer 2 · answered Dec 28 '22 at 02:13

-1

To fix this issue, grant access for the service account wanting to use the custom image per the instructions here:

https://cloud.google.com/compute/docs/images/managing-access-custom-images

answered Dec 28 '22 at 02:13

alucavi

1

Please, put the code into your answer. Links may die with the course of time. – Julia Meshcheryakova Jan 02 '23 at 19:11

instance creation failed: Required 'compute.images.useReadOnly'

2 Answers2