0

I am new to the google cloud platform deployment manager and i am trying to deploy an instance that has the service account attached along with the necessary api's that i needed. my code to attach the service account along with the api's within the instance template is as follows:

     - email: <[email protected]>
       scopes:
       - https://www.googleapis.com/auth/cloud-platform
       - https://www.googleapis.com/auth/compute
       - https://www.googleapis.com/auth/servicecontrol
       - https://www.googleapis.com/auth/service.management.readonly
       - https://www.googleapis.com/auth/logging.write
       - https://www.googleapis.com/auth/monitoring.write
       - https://www.googleapis.com/auth/trace.append
       - https://www.googleapis.com/auth/devstorage.read_write

After executing the code to deploy my instance i run into the following error message:

- code: RESOURCE_ERROR
  location: /deployments/gcpnetwork/resources/instance name
  message: "{\"ResourceType\":\"compute.v1.instance\",\"ResourceErrorCode\":\"SERVICE_ACCOUNT_ACCESS_DENIED\"\
    ,\"ResourceErrorMessage\":\"The user does not have access to service account '<[email protected]>'.\
    \  User: '[email protected]'.  Ask a project owner\
    \ to grant you the iam.serviceAccountUser role on the service account\"}"

I have assigned the appropriate permissions for both service-account and service account user under the I AM-IAM & Admin console with no luck of winning. I am also the project owner and have full access to all GCP resources. Is there anything that i am missing or doing wrong? I also tried to impersonate the service account but still not working, please help clarify this.

1
  • One additional item. Your question lists scopes. Scopes do NOT grant permission, they are used to limit permissions assigned to a Compute instance. The roles assigned to the service account are the starting set of permissions. You are limiting those permissions to the equivalent permissions in the specified scopes. Instead grant the required permissions to the service account. Then use the scope cloud-platform for the instance. Legacy roles such as Owner and permissions such as Compute Engine Scopes are the old way before IAM was developed. You are incorrectly mixing them together.
    – John Hanley
    Commented Feb 10, 2021 at 1:53

2 Answers 2

Reset to default
1

The identity that you are using to create the instance does not have the role roles/iam.serviceAccountUser. This role is required to create and manage instances that use a service account.

The serviceAccountUser role

5
  • i have looked at the google docs and followed your recommendation but it still fails. I added the two roles for the default service account and the cloud api service but still giving the service account access denied. just to clarify, i added the roles from the IAM console and also created a custom role and added it directly to the service account my problem is on the how of how to go about it.
    – Elisius Legodi
    Commented Feb 9, 2021 at 10:03
  • @ElisiusLegodi The error message in your question is very specific. This means you are not applying roles to the correct identity. Use the CLI and list the roles assigned to the service account. Post those details in your question. Note: Owner is a legacy role and does NOT have all permissions.
    – John Hanley
    Commented Feb 9, 2021 at 19:22
  • I ran the below code for both the service account and cloud service account to see the permissions attached to each account. Maybe you can help me in identifying which permissions need to be added or removed. gcloud projects get-iam-policy project-id \ --flatten="bindings[].members" \ --format='table(bindings.role)' \ --filter="bindings.members:*******[email protected]"the output: ROLE roles/compute.admin roles/owner roles/storage.admin
    – Elisius Legodi
    Commented Feb 18, 2021 at 11:05
  • the output for the cloud service account is: ROLE roles/compute.admin roles/compute.imageUser roles/compute.instanceAdmin.v1 roles/compute.networkAdmin roles/compute.osAdminLogin roles/editor roles/iam.serviceAccountTokenCreator roles/iam.serviceAccountUser roles/servicebroker.admin roles/storage.admin
    – Elisius Legodi
    Commented Feb 18, 2021 at 11:08
  • The error message specifies the name of the service account that is missing the required role. That service account is missing the role in the project that you are running deployment manager. Put those details in your question not as comments. Add an "UPDATE" section near the end. Remember two items. The project and the role. Since you are masking the service account email (which is not required) I cannot tell which is which.
    – John Hanley
    Commented Feb 18, 2021 at 16:34
0

I managed to find a way around the problem without going through the IAM user role as the error was suggesting. The error was caused by trying to attach the service account directly within the deployment manager's instance template. This causes the deployment manager to think you are trying to create a new service account when the instance is deployed which was not case, since I was trying to use the default service account within the existing project. So by attaching the service account email directly this way:

 - email: <[email protected]>
   scopes:
   - https://www.googleapis.com/auth/cloud-platform
   - https://www.googleapis.com/auth/compute
   - https://www.googleapis.com/auth/servicecontrol
   - https://www.googleapis.com/auth/service.management.readonly
   - https://www.googleapis.com/auth/logging.write
   - https://www.googleapis.com/auth/monitoring.write
   - https://www.googleapis.com/auth/trace.append
   - https://www.googleapis.com/auth/devstorage.read_write

causes an error. the work around was using the value email: default along with the scope list to solve the issue:

 - email: default
   scopes:
   - https://www.googleapis.com/auth/cloud-platform
   - https://www.googleapis.com/auth/compute
   - https://www.googleapis.com/auth/servicecontrol
   - https://www.googleapis.com/auth/service.management.readonly
   - https://www.googleapis.com/auth/logging.write
   - https://www.googleapis.com/auth/monitoring.write
   - https://www.googleapis.com/auth/trace.append
   - https://www.googleapis.com/auth/devstorage.read_write

This allows the deployment manager to choose the default service account within the existing project. Also note that having the scope - https://www.googleapis.com/auth/cloud-platform within the scope list gives you access to all instance api's. So by removing - https://www.googleapis.com/auth/cloud-platform from the scope list and using it this way:

 - email: default
   scopes:
   - https://www.googleapis.com/auth/compute
   - https://www.googleapis.com/auth/servicecontrol
   - https://www.googleapis.com/auth/service.management.readonly
   - https://www.googleapis.com/auth/logging.write
   - https://www.googleapis.com/auth/monitoring.write
   - https://www.googleapis.com/auth/trace.append
   - https://www.googleapis.com/auth/devstorage.read_write

was what I needed since I did not want access to all the instance api's. But if you want access to all instance api's, you only need to specify the default value with the cloud-platform scope this way:

 - email: default
   scopes:
   - https://www.googleapis.com/auth/cloud-platform

I hope this is clear enough and helps anyone who comes across the same issue.

2
  • I don't understand how you clarify here. When you set it to default, the "<your-account>@cloudservices.gserviceaccount.com" is set as your Service account and NOT your custom service account. How does that resolve your issue?
    – Vaishnav
    Commented Sep 22, 2022 at 10:21
  • Alright, so you were trying to set the default SA itself. I have the same issue but here I am trying to set a new Service Account I have created. I did not find a workaround. I don't want the API agent to be set as SA for the instance
    – Vaishnav
    Commented Sep 22, 2022 at 10:24

Not the answer you're looking for? Browse other questions tagged or ask your own question.