Assigning scopes to a gcloud service account

google-cloud-platform google-compute-engine gcloud
12,968

You can use command like: 

gcloud compute instances set-service-account <instance name> --service-account <service account> --scopes <comma separated scopes here, alias or full URI>

Command documentation here specifies the aliases as well as the full URI’s available.

You can also use command like: 

gcloud alpha compute instances set-scopes <instance name> --scopes <comma separated scopes, alias or full URI>

Documentation here

Scopes can be applied to the default service account & VM instances. Other service accounts (not default) are treated like user accounts, & so they do not use scopes like the default service account does. Non-default service accounts use IAM permissions like a user account does, so you will not be able to edit scopes, only IAM roles like a user account. If you are to use scopes in combination with a user account, both the machine & user account will need access to the API object in order to access it. More on the combination of scopes & service accounts here.

Share:
12,968
J. Williams
Author by

J. Williams

Updated on December 07, 2022

Comments

  • J. Williams
    J. Williams over 1 year

    I am trying to add an extra Service Account to a GCE instance (Google Cloud VM), so that the tools running there can switch between the default Service Account assigned to VM by GCloud and another one, that belongs to a different project. It is clear from the documentation how I can assign scopes to the default account (available in VM settings when it's powered off). But I can not understand how I can set the scopes for the Service Account added manually:

    gcloud auth activate-service-account --key-file=myaccount.json

    Now the account appears in gcloud auth list, but it is unclear which scopes are assigned to it. Another way is to use gcloud auth application-default login which has --scopes parameter, but I understand it is not possible to use with service accounts.

    Google Cloud documentation tells me to

    create a service account with the appropriate scopes using the Google Cloud Platform Console

    but I can't find any option to add Scopes to a Service Account, only Roles which is possible via IAM. Does anyone know how I can assign scopes to my custom Service Account?

    • John Hanley
      John Hanley over 5 years
      Are you trying to change the service account assigned to a Compute Engine instance when launched OR are you trying to use a custom service account in your software after the VM instance has launched? Scopes are assigned to the default service account assigned to Compute Engine instance. For custom service accounts, you use Roles.
  • J. Williams
    J. Williams over 5 years
    Thanks, this sounds promising! Could you please point me to where exactly is the "Security" page? I tried to find it, but the only one I found that looks like you described is a GSuite admin page at support.google.com/a/answer/162106. Unfortunately I don't have a GSuite account.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

google compute engine tool gcloud is exceptionally slow
Compute Engine SSH: You do not have sufficient permissions to SSH into this instance
How ephemeral (short lived) is the IP on a gcloud Compute Engine?
default ssh is not working from GCP Console and browser crashes or hang
Cannot edit VM or access it via SSH. error:Supplied fingerprint does not match current metadata fingerprint
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6A030B21BA07F4FB
gcloud "config set project" works but can't fetch project?
gcloud compute list networks error: "Some requests did not succeed: - Insufficient Permission"
Where does gcloud store its defaults?
Dart Error: error: import of dart:mirrors is not supported in the current Dart runtime